ArcGIS Blog

Administration

ArcGIS Trust Center

June 2026 ArcGIS Security Bulletin

By Michael Young and Randall Williams

ArcGIS Enterprise Account Recovery Targeted

As organizations around the world have improved the security of application login mechanisms, such as enforcing MFA, attackers have increasingly shifted to exploiting account recovery mechanisms.  Esri is actively responding to reports that an ArcGIS Enterprise account recovery configuration has been used in targeted attempts against customer environments. Customers using built-in accounts should review and apply the recommendations below as soon as possible.

First, if your ArcGIS Enterprise deployment does not have any built-in accounts enabled, then your system is as safe as the configuration of your organization’s central identity management system account recovery processes. As listed in the ArcGIS Enterprise Hardening Guide which was recently streamlined, Esri recommends utilizing centralized identity managed accounts – see control ID IA-B12.

Remediation:

Esri has released the Portal for ArcGIS Security 2026 Update 2 Patch, which is available here.

This patch was released June 23, 2026. We strongly encourage ArcGIS Enterprise customers apply this patch within the next two weeks to minimize risk. This patch resolves Critical and High Severity vulnerabilities in Portal for ArcGIS versions 12.1 and prior and addresses the ArcGIS Enterprise Account Recovery issue. More details are provided later in this bulletin.

Recommendations:

If your organization need time to apply the patch and utilizes any built-in application accounts, then we recommend immediately taking the following five easy steps:

  1. Ensure no weak account recovery answers are utilized (AS-B11)
  2. Ensure no common admin names are used for built-in Enterprise accounts (AS-B11)
  3. Ensure Portal PSA and Server IAA accounts are disabled (AS-B2)
  4. Ensure ArcGIS Enterprise service account not assigned admin access (AS-B20)
  5. Run the Security & Privacy Adviser tool (see ArcGIS Trust Center) (IM-B4)

Near-term Recommendations:

  1. Implement SMTP for email validation of account changes (AS-B3)
  2. Esri has released a security patch that further improves the security of the remote user account recovery (Forgot password) workflow, such as requiring SMTP to be enabled for the remote user reset process to work. Esri has always strongly recommended utilizing SMTP for validating accounts via email (AS-B3).  Recent cases have made it apparent that SMTP must be required to securely support the current remote password reset workflow.  Customers without SMTP will still be able to:  1) Allow administrators to reset the password for any existing built-in user,  2) Allow any user to change their own password after logging in.

Long-term Recommendations:

These recommendations are more strategic and require significantly more effort to implement but payoff with a considerably stronger security posture:

  1. Utilize centralized identity providers as primary authentication mechanism (IA-B12)
  2. Require MFA for all admin account logins (IA-B1)
  3. Keep your applications up-to-date with the latest hardening guidance
  4. If unable to keep applications up-to-date consider hosting providers or SaaS

Portal for ArcGIS Security 2026 Update 2 Patch Details:

Cumulative – This patch is cumulative and does not require that you install any previous Portal for ArcGIS Security patches prior to installing this patch – Using the Patch Notification Utility can help ease this process. This patch is NOT dependent on other patches to be in place.

Esri has reserved CVE identifiers for two vulnerabilities fixed in this patch.

CVE-2026-13020: A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.

  • CWE-640: Weak Password Recovery Mechanism for Forgotten Password
  • Base CVSSv3.1: 8.1
  • Temporal CVSSv3.1: 7.7
  • Affected: Portal for ArcGIS 12.1 and prior.

CVE-2026-13019: Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

  • CWE-306: Missing Authentication for Critical Function
  • Base CVSSv3.1: 9.8
  • Temporal CVSSv3.1: 9.4
  • Affected: Portal for ArcGIS 12.1 and prior.

Patch notes:

This patch may potentially be disruptive for some customers.

What will the patch do?

  • IF the site does NOT have email enabled: Admins will be responsible for resetting user passwords. The “recovery question” based mechanism is no longer available.
  • IF the site DOES have email enabled: Users can reset their own passwords using the email-based process.
  • Users who use SAML/OpenID Connect/LDAP or Windows Users and roles: Will see NO CHANGE.
    • Those users are not managed at the ArcGIS Enterprise level – they are managed at the Identity Provider (IDP) level.

Esri will continue to update this bulletin as additional information becomes available. Check back here for the latest guidance.

 

  • Esri Software Security & Privacy

Share this article