CVE-2026-13019

CVE-2026-13019 is a critical-severity vulnerability with a CVSS 3.x base score of 9.8. The underlying weakness is classified as CWE-640.

Key facts

Description

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.

Frequently asked questions

What is CVE-2026-13019?
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
How severe is CVE-2026-13019?
CVE-2026-13019 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2026-13019 being actively exploited?
It is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS exploit-prediction score is available yet.
How do I fix CVE-2026-13019?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2026-13019 published?
CVE-2026-13019 was published on 2026-07-07 and last updated on 2026-07-08.

References

Other CWE-640 vulnerabilities

Browse all CWE-640 vulnerabilities →