Skip to main content

Portal for ArcGIS EUVDEUVD-2026-42058

| CVE-2026-13019 CRITICAL
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-07-07 Esri GHSA-6rrr-4jqj-5947
9.8
CVSS 3.1 · Vendor: Esri
Share

Severity by source

Vendor (Esri) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unprotected network API with no auth or interaction gives AV:N/AC:L/PR:N/UI:N; C/I/A retained High as the exposed function is critical/administrative, though I and A are inferred from vendor rating.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Esri).

CVSS VectorVendor: Esri

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jul 07, 2026 - 18:01 EUVD
Analysis Generated
Jul 07, 2026 - 17:23 vuln.today
CVE Published
Jul 07, 2026 - 16:40 nvd
CRITICAL 9.8

DescriptionCVE.org

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

AnalysisAI

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a critical API endpoint that a remote, unauthenticated attacker can reach directly, bypassing access controls to interact with functionality that should require an authenticated session. Esri rates this critical (CVSS 9.8) and disclosed it in its June 2026 ArcGIS security bulletin; no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed ArcGIS Portal instance
Delivery
Send unauthenticated request to unprotected API
Exploit
Bypass missing authentication check
Execution
Invoke critical portal function
Impact
Access or alter portal data/config

Vulnerability AssessmentAI

Exploitation The affected Portal for ArcGIS API endpoint must be network-reachable by the attacker (e.g., internet-facing or reachable within a routable network segment), and the instance must be running version 12.1 or earlier on Windows, Linux, or Kubernetes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) describes the worst-case profile: network-reachable, low complexity, no privileges, no user interaction, with high impact to confidentiality, integrity, and availability - consistent with an unauthenticated, remotely reachable administrative function. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans for internet-exposed ArcGIS Portal instances and sends unauthenticated HTTP requests directly to the affected REST API endpoint, receiving a valid response without any login. Given AV:N/AC:L/PR:N, this requires only network reachability and no credentials or user interaction, allowing the attacker to invoke the exposed critical function to read or alter portal data or configuration. …
Remediation Apply the update referenced in Esri's June 2026 ArcGIS security bulletin (https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin); a patch is available per the vendor advisory, but the exact fixed version is not specified in the available data and must be taken directly from the bulletin - do not assume a version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Inventory all Esri Portal for ArcGIS instances running version 12.1 or earlier; immediately restrict network access via firewall rules and network segmentation to limit exposure to administrative subnets only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

EUVD-2026-42058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy