A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.
References
| Link | Resource |
|---|---|
| https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin | Vendor Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
History
09 Jul 2026, 14:33
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:* cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| First Time |
Linux
Esri portal For Arcgis Kubernetes kubernetes Linux linux Kernel Esri Microsoft windows Kubernetes Microsoft |
|
| References | () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin - Vendor Advisory |
07 Jul 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-07 17:16
Updated : 2026-07-09 14:33
NVD link : CVE-2026-13020
Mitre link : CVE-2026-13020
CVE.ORG link : CVE-2026-13020
JSON object : View
Products Affected
kubernetes
- kubernetes
esri
- portal_for_arcgis
microsoft
- windows
linux
- linux_kernel
CWE
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
