Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unprotected network API with no auth or interaction gives AV:N/AC:L/PR:N/UI:N; C/I/A retained High as the exposed function is critical/administrative, though I and A are inferred from vendor rating.
Primary rating from Vendor (Esri).
CVSS VectorVendor: Esri
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
Articles & Coverage 2
AnalysisAI
Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a critical API endpoint that a remote, unauthenticated attacker can reach directly, bypassing access controls to interact with functionality that should require an authenticated session. Esri rates this critical (CVSS 9.8) and disclosed it in its June 2026 ArcGIS security bulletin; no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The affected Portal for ArcGIS API endpoint must be network-reachable by the attacker (e.g., internet-facing or reachable within a routable network segment), and the instance must be running version 12.1 or earlier on Windows, Linux, or Kubernetes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) describes the worst-case profile: network-reachable, low complexity, no privileges, no user interaction, with high impact to confidentiality, integrity, and availability - consistent with an unauthenticated, remotely reachable administrative function. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for internet-exposed ArcGIS Portal instances and sends unauthenticated HTTP requests directly to the affected REST API endpoint, receiving a valid response without any login. Given AV:N/AC:L/PR:N, this requires only network reachability and no credentials or user interaction, allowing the attacker to invoke the exposed critical function to read or alter portal data or configuration. … |
| Remediation | Apply the update referenced in Esri's June 2026 ArcGIS security bulletin (https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin); a patch is available per the vendor advisory, but the exact fixed version is not specified in the available data and must be taken directly from the bulletin - do not assume a version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Inventory all Esri Portal for ArcGIS instances running version 12.1 or earlier; immediately restrict network access via firewall rules and network segmentation to limit exposure to administrative subnets only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42058
GHSA-6rrr-4jqj-5947