Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Esri Portal for ArcGIS versions 12.1 and earlier contain a critical missing authentication vulnerability that exposes unprotected API endpoints to unauthenticated remote attackers. This flaw affects organizations running Portal on Windows, Linux, and Kubernetes environments, allowing adversaries to bypass authentication controls entirely and gain direct access to sensitive geospatial infrastructure. With a CVSS score of 9.8, this vulnerability represents a severe risk to enterprises relying on ArcGIS for critical GIS operations, data management, and mapping services. Any organization using affected Portal versions faces potential unauthorized access, data exfiltration, and lateral movement opportunities within their infrastructure.
While this CVE does not map directly to MITRE ATT&CK techniques, Casky's Claude-powered detection capabilities would identify the underlying attack patterns associated with CWE-640 (Weak or Missing Authentication). Practitioners using Casky would observe detection findings focused on unauthorized API access attempts, including unauthenticated requests to critical Portal endpoints, unusual API calls lacking proper authentication tokens, and anomalous data access patterns from unauthenticated sources. The platform's extended reasoning would help security teams correlate these API anomalies with potential T1078 (Valid Accounts) variants and T1526 (Enumerate Cloud Resources) behaviors, revealing how attackers probe and access exposed functionality. Casky's skill mapping would guide practitioners toward implementing proper authentication controls, segmentation of Portal infrastructure, and deployment of API gateway protections to prevent exploitation of this authentication bypass.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-13019. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation