COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-13020

CVE-2026-13020

Severity
high
Source
NVD · cve
Published
2026-07-07
CVSS
8.1
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-13020
shame 25/100

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators sh

Players implicated

ESRI · vendorMicrosoft · vendorkubernetes · vendorlinux · vendorkubernetes · productlinux kernel · productportal for arcgis · productwindows · product

Description

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.

Affected FedRAMP products 7 in the catalog

ProductProviderStatusMatch
ArcGIS Online (AGO) ESRI Authorized vendor-exact · 0.90
ArcGIS Online (AGO) Moderate ESRI In Process vendor-exact · 0.90
Azure Commercial Cloud Microsoft Authorized vendor-exact · 0.90
Azure Government (includes Dynamics 365) Microsoft Authorized vendor-exact · 0.90
Esri Managed Cloud Services Advanced Plus ESRI Authorized vendor-exact · 0.90
Microsoft Office 365 GCC High Microsoft In Process vendor-exact · 0.90
Office 365 Multi-Tenant & Supporting Services Microsoft Authorized vendor-exact · 0.90