{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/portal-for-arcgis-12.1-and-earlier/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-13019"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Portal for ArcGIS 12.1 and earlier"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","esri","arcgis","unauthenticated-access","api-security","rce"],"_cs_type":"advisory","_cs_vendors":["Esri"],"content_html":"\u003cp\u003eA critical missing authentication vulnerability, tracked as CVE-2026-13019, has been identified in Esri Portal for ArcGIS versions 12.1 and earlier. This flaw allows a remote, unauthenticated attacker to bypass authentication mechanisms and directly access critical API functions. With a CVSS v3.1 base score of 9.8, this vulnerability poses an extreme risk, enabling attackers to potentially manipulate or extract sensitive Geographic Information System (GIS) data, compromise system integrity, or perform unauthorized administrative operations. The vulnerability affects deployments across various platforms, including Windows, Linux, and Kubernetes environments, making a wide range of organizations using Esri's GIS solutions susceptible to compromise. Immediate patching is imperative to mitigate the risk of unauthorized access and potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a public-facing Esri Portal for ArcGIS instance running version 12.1 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker researches or discovers the specific critical API endpoints vulnerable to authentication bypass.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP request targeting a known critical API endpoint on the vulnerable Esri Portal for ArcGIS system.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the Esri Portal for ArcGIS web server without including valid authentication credentials.\u003c/li\u003e\n\u003cli\u003eDue to the missing authentication vulnerability (CVE-2026-13019), the Esri Portal for ArcGIS processes the unauthenticated request as if it were legitimate.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully gains unauthorized access to the unprotected critical API, enabling them to invoke sensitive functions or retrieve privileged information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13019 grants remote, unauthenticated attackers full access to critical API functions within Esri Portal for ArcGIS. This can lead to a range of severe consequences, including unauthorized viewing, modification, or deletion of sensitive GIS data, system configuration changes, and potentially full compromise of the Esri Portal infrastructure. Organizations in sectors relying heavily on GIS data, such as government, utilities, and infrastructure, are particularly at risk. The broad platform applicability (Windows, Linux, Kubernetes) means a wide array of deployments are exposed, potentially leading to widespread data breaches or operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-13019 on all Esri Portal for ArcGIS instances immediately by upgrading to a patched version (12.2 or later) or applying the vendor-provided security updates.\u003c/li\u003e\n\u003cli\u003eReview Esri Portal for ArcGIS web server access logs for anomalous unauthenticated access patterns to API endpoints that could indicate attempted or successful exploitation of CVE-2026-13019.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T17:17:53Z","date_published":"2026-07-07T17:17:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-esri-portal-rce/","summary":"A critical missing authentication vulnerability (CVE-2026-13019) in Esri Portal for ArcGIS versions 12.1 and earlier allows a remote, unauthenticated attacker to access unprotected critical APIs, impacting deployments on Windows, Linux, and Kubernetes environments.","title":"Critical Unauthenticated API Access in Esri Portal for ArcGIS (CVE-2026-13019)","url":"https://feed.craftedsignal.io/briefs/2026-07-esri-portal-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Portal for ArcGIS 12.1 and Earlier","version":"https://jsonfeed.org/version/1.1"}