CVE-2026-13019: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in Esri Portal for ArcGIS
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
AI Analysis
Technical Summary
Esri Portal for ArcGIS versions 12.1 and earlier contain a vulnerability classified as CWE-640, where a critical function related to password recovery lacks proper authentication. This allows remote attackers without any privileges to access an unprotected API endpoint, potentially leading to full compromise of the system. The vulnerability affects multiple platforms including Windows, Linux, and Kubernetes deployments. The CVSS v3.1 base score is 9.8, reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No patch or official remediation guidance has been provided by the vendor as of the published date.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to access a critical API without authentication, potentially leading to full system compromise including unauthorized data access, modification, or denial of service. The vulnerability affects confidentiality, integrity, and availability with maximum severity as indicated by the CVSS score of 9.8.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided by Esri, organizations should monitor vendor communications closely. Until a patch is available, consider restricting network access to the Portal for ArcGIS management interfaces and APIs to trusted administrators only, and implement compensating controls such as network segmentation and enhanced monitoring for suspicious activity related to password recovery functions.
CVE-2026-13019: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in Esri Portal for ArcGIS
Description
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
CVSS v3.1
Score 9.8critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Esri Portal for ArcGIS versions 12.1 and earlier contain a vulnerability classified as CWE-640, where a critical function related to password recovery lacks proper authentication. This allows remote attackers without any privileges to access an unprotected API endpoint, potentially leading to full compromise of the system. The vulnerability affects multiple platforms including Windows, Linux, and Kubernetes deployments. The CVSS v3.1 base score is 9.8, reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No patch or official remediation guidance has been provided by the vendor as of the published date.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to access a critical API without authentication, potentially leading to full system compromise including unauthorized data access, modification, or denial of service. The vulnerability affects confidentiality, integrity, and availability with maximum severity as indicated by the CVSS score of 9.8.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided by Esri, organizations should monitor vendor communications closely. Until a patch is available, consider restricting network access to the Portal for ArcGIS management interfaces and APIs to trusted administrators only, and implement compensating controls such as network segmentation and enhanced monitoring for suspicious activity related to password recovery functions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Esri
- Date Reserved
- 2026-06-23T16:51:42.540Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4d2cd5c9d9e3dbe382541c
Added to database: 07/07/2026, 16:44:05 UTC
Last enriched: 07/07/2026, 16:58:55 UTC
Last updated: 07/07/2026, 17:29:09 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.