Weak Password Recovery Mechanism in Esri Portal for ArcGIS
CVE-2026-13020
8.1HIGH
What is CVE-2026-13020?
A weakness has been identified in the password recovery mechanism of Esri Portal for ArcGIS up to version 12.1. This vulnerability allows remote, unauthorized attackers to potentially gain control over user accounts by exploiting the system's insufficient password recovery processes. It is essential for ArcGIS Administrators to implement an email server configured with ArcGIS Enterprise to enable secure user self-service password recovery. The existing ability for administrators to reset user passwords remains unaffected, ensuring continued control over account management.
Affected Version(s)
Portal for ArcGIS Windows 0 < 12.1
