Warning of security vulnerability in Portal for ArcGIS

Last Published: April 25, 2020


Esri has discovered a critical security vulnerability in Portal for ArcGIS when specially constructed steps are taken by authenticated users. This results in a privilege escalation issue where the user can elevate themselves to become administrators of the portal.

This issue is present in all supported versions of Portal for ArcGIS, on both Windows and Linux operating systems. Esri has released patches for all versions of Portal for ArcGIS, from version 10.3 through 10.6.1.


This is a known issue which has been logged by Esri as a defect, BUG-000117564.

Solution or Workaround

Esri strongly recommends installing the relevant patch at the earliest possible opportunity.

All patches can be downloaded from the Esri Support Website:

For users of versions 10.6.1, 10.5.1, 10.4.1, and 10.3.1, the Portal for ArcGIS Security 2018 Update 3 Patch is available. This includes a fix for this issue, along with other recommended fixes for security issues.

For users of versions 10.6, 10.5, 10.4, and 10.3, the Portal for ArcGIS Privilege Escalation Security Patch is available which contains a fix for this issue.
For any questions about this patch and resolving the security vulnerability, please contact Esri Technical Support.

Article ID:000019576

  • Portal for ArcGIS

Receive notifications and find solutions for new or common issues

Get summarized answers and video solutions from our new AI chatbot.

Download the Esri Support App

Related Information

Discover more on this topic

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options