CVE-2026-2813
Analyzed Analyzed - Analysis Complete
Open Redirect Vulnerability in ArcGIS Server

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: Environmental Systems Research Institute, Inc.

Description
ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulting in a limited confidentiality impact under specific user interaction conditions. The vulnerability affects only the client side navigation logic during authentication and remains confined to the same security boundary. No server side compromise or cross component impact is possible.Β Β This issue affects ArcGIS Server 11.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-08
NVD
CVE-2026-2813
EUVD
EUVD-2026-31145
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
esri arcgis_server 11.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability results in a limited confidentiality impact under specific user interaction conditions by redirecting the browser to an unintended, untrusted site. However, it affects only client side navigation logic during authentication and does not involve server side compromise or cross component impact.

Given the limited confidentiality impact and the confinement within the same security boundary, this vulnerability may have minimal direct effect on compliance with common standards and regulations such as GDPR or HIPAA, which emphasize protection of sensitive data and system integrity.

Nevertheless, any confidentiality impact, even limited, could potentially raise concerns under these regulations depending on the context of data handled and the environment in which ArcGIS Server is deployed.

Executive Summary

This vulnerability exists in ArcGIS Server 11.5 and involves an input validation weakness in the login redirection workflow.

An authenticated attacker can exploit this by sending a specially crafted request that causes the application to redirect the browser to an unintended and untrusted site.

The issue affects only the client side navigation logic during authentication and does not compromise the server or other components.

Impact Analysis

Successful exploitation may lead to the application redirecting users to untrusted sites, which could potentially expose users to phishing or other malicious activities.

The impact is limited to confidentiality under specific user interaction conditions, with no impact on integrity or availability.

Since the vulnerability is confined to client side navigation and remains within the same security boundary, no server side compromise or broader system impact is possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2813. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart