CVE-2026-13020

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*
OR cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

09 Jul 2026, 14:33

Type Values Removed Values Added
CPE cpe:2.3:a:kubernetes:kubernetes:-:*:*:*:*:*:*:*
cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
First Time Linux
Esri portal For Arcgis
Kubernetes kubernetes
Linux linux Kernel
Esri
Microsoft windows
Kubernetes
Microsoft
References () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin - () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin - Vendor Advisory

07 Jul 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-07 17:16

Updated : 2026-07-09 14:33


NVD link : CVE-2026-13020

Mitre link : CVE-2026-13020

CVE.ORG link : CVE-2026-13020


JSON object : View

Products Affected

kubernetes

  • kubernetes

esri

  • portal_for_arcgis

microsoft

  • windows

linux

  • linux_kernel
CWE
CWE-640

Weak Password Recovery Mechanism for Forgotten Password