CVE-2026-13019 Esri Portal for ArcGIS vulnerability
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
Quick answer
Esri Portal for ArcGIS should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Portal for ArcGIS 12.1 and earlier
Fixed versions
- Portal for ArcGIS Security 2026 Update 2 Patch
How to fix it
CVE-2026-13019 affects Esri Portal for ArcGIS 12.1 and earlier on Windows, Linux, and Kubernetes where missing authentication for a critical Portal for ArcGIS API function can expose an unprotected API to remote unauthenticated attackers. Prioritize internet-facing ArcGIS Enterprise portals and deployments that use built-in accounts because account recovery and unauthenticated API flaws can lead to account takeover or critical API access. Esri remediates the issue with the Portal for ArcGIS Security 2026 Update 2 Patch. Until the patch is deployed, require centralized identity providers where possible, configure SMTP-backed password recovery, and reduce built-in account exposure.
- Inventory every Portal for ArcGIS deployment, including Windows, Linux, Kubernetes, staging, and disaster recovery environments.
- Identify versions 12.1 and earlier and schedule installation of the Portal for ArcGIS Security 2026 Update 2 Patch.
- Apply the Esri security patch through the approved ArcGIS Enterprise maintenance process and validate portal, federation, and service health afterward.
- Configure an email server for ArcGIS Enterprise password reset workflows and prefer SAML or OIDC for centralized identity management.
- Disable or tightly control weak built-in account recovery paths, common administrator names, Portal PSA accounts, Server IAA accounts, and over-privileged service accounts while remediation is pending.
- Review portal, web adaptor, reverse proxy, identity provider, and administrative logs for suspicious password recovery, unauthenticated API, or built-in account activity.
- If account takeover or unauthorized API access is suspected, reset affected passwords, revoke tokens, rotate service credentials, and preserve evidence before cleanup.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm every Portal for ArcGIS 12.1 or earlier environment has the Portal for ArcGIS Security 2026 Update 2 Patch installed or has been upgraded beyond the affected release.
- Confirm the affected Portal API endpoint requires authentication and rejects unauthenticated requests after the patch.
- Run Esri Security & Privacy Adviser and confirm account recovery, administrator naming, service account, and identity provider controls pass the intended policy.
- Confirm internet-facing routes, reverse proxies, and firewall rules expose only intended ArcGIS Enterprise endpoints.
- Document patch level, identity configuration, SMTP configuration, log review, and any remaining compensating controls.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-13019?
Esri Portal for ArcGIS versions listed as affected should be reviewed: Portal for ArcGIS 12.1 and earlier.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
