New at Horizon3.ai

 CVE-2026-9181

Esri ArcGIS Server Pre-Authentication Path Traversal Vulnerability

CVE-2026-9181 is a critical pre-authentication path traversal vulnerability affecting Esri ArcGIS Server 12.0 and prior. The vulnerability exists in the ArcGIS Server REST Uploads resource, where insufficient validation of crafted path parameters allows an unauthenticated remote attacker to traverse outside the intended directory boundary. Successful exploitation could allow an attacker to access sensitive files on the ArcGIS Server system without requiring valid credentials. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical)

Technical Details

CVE-2026-9181 is a path traversal vulnerability (CWE-22) within the ArcGIS Server REST Uploads resource. By supplying a crafted itemName parameter, an attacker can bypass path validation and traverse outside the intended upload directory.

Successful exploitation could allow an unauthenticated attacker to access sensitive files on the ArcGIS Server system. The vulnerability is remotely exploitable over the network, requires no authentication, and requires no user interaction.

Vendor: Esri

Product: ArcGIS Server

Vulnerability Class: Path Traversal (CWE-22)

Authentication Required: None

Attack Vector: Network

CVSS v3.1 Base Score: 9.8 (Critical)

Stop Guessing, Start Proving

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

  • Run the Rapid Response test: Launch from the NodeZero platform to determine whether exploitation is possible.
  • Patch immediately: Apply the ArcGIS Server Security 2026 Update 2 Patch or the vendor-recommended mitigation.
  • Re-run the test: Confirm the vulnerability is no longer exploitable after remediation.

Affected Versions & Patch

Affected

  • ArcGIS Server 12.0 and prior

Fixed

Esri recommends customers running the following supported releases install the ArcGIS Server Security 2026 Update 2 Patch:

  • ArcGIS Server 12.0
  • ArcGIS Server 11.5
  • ArcGIS Server 11.4
  • ArcGIS Server 11.3
  • ArcGIS Server 11.1

Mitigations

  • Apply the ArcGIS Server Security 2026 Update 2 Patch as soon as possible.
  • The security update is cumulative and does not require previous ArcGIS Server security patches to be installed.
  • If immediate patching is not possible, Esri recommends implementing the Web Application Firewall (WAF) guidance described in the ArcGIS Enterprise Hardening Guide until the security update can be applied.

Timeline

  • May 27, 2026: Esri published the May 2026 ArcGIS Security Bulletin describing CVE-2026-9181.
  • May 27, 2026: Esri released the ArcGIS Server Security 2026 Update 2 Patch.
  • May 27, 2026: Esri recommended ArcGIS Enterprise customers apply the security update within two weeks to reduce exposure.
  • July 8, 2026: Horizon3.ai Rapid Response test.

References

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By