CVE-2026-2812
Analyzed Analyzed - Analysis Complete
Improper Authentication in ArcGIS Server

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: Environmental Systems Research Institute, Inc.

Description
ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-2812
EUVD
EUVD-2026-31147
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
esri arcgis_server From 11.1 (inc) to 12.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. This means that an attacker who is not authenticated can send a specially crafted request to this hidden endpoint.

If the attacker successfully exploits this vulnerability, it may disrupt the web-based browsing interface of the ArcGIS Server.

This issue affects ArcGIS Server version 12.0 and earlier.

Compliance Impact

The vulnerability in ArcGIS Server allows an unauthenticated attacker to disrupt the web-based browsing interface by exploiting an undocumented administrative endpoint. While this may impact the availability and integrity of the service, there is no direct indication that it compromises confidentiality or personal data.

Given the lack of evidence that personal or sensitive data is exposed or altered, the vulnerability's impact on compliance with standards such as GDPR or HIPAA is likely limited to potential service disruption rather than data breach or unauthorized data access.

Impact Analysis

The vulnerability allows an unauthenticated attacker to disrupt the web-based browsing interface of the ArcGIS Server.

This disruption could impact availability or usability of the server's web interface, potentially affecting users who rely on it.

However, the vulnerability does not impact confidentiality or availability beyond the interface disruption, as it does not allow data disclosure or system takeover.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart