CVE-2026-2812
Improper Authentication in ArcGIS Server
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Environmental Systems Research Institute, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esri | arcgis_server | to 12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. This means that an attacker who is not authenticated can send a specially crafted request to this hidden endpoint.
If the attacker successfully exploits this vulnerability, it may disrupt the web-based browsing interface of the ArcGIS Server.
This issue affects ArcGIS Server version 12.0 and earlier.
How can this vulnerability impact me? :
The vulnerability allows an unauthenticated attacker to disrupt the web-based browsing interface of the ArcGIS Server.
This disruption could impact availability or usability of the server's web interface, potentially affecting users who rely on it.
However, the vulnerability does not impact confidentiality or availability beyond the interface disruption, as it does not allow data disclosure or system takeover.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ArcGIS Server allows an unauthenticated attacker to disrupt the web-based browsing interface by exploiting an undocumented administrative endpoint. While this may impact the availability and integrity of the service, there is no direct indication that it compromises confidentiality or personal data.
Given the lack of evidence that personal or sensitive data is exposed or altered, the vulnerability's impact on compliance with standards such as GDPR or HIPAA is likely limited to potential service disruption rather than data breach or unauthorized data access.