Description
ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ArcGIS Server contains an improper authentication weakness in an undocumented administrative endpoint. The flaw allows an unauthenticated attacker to craft a request that bypasses proper authentication checks, potentially disrupting the web‑based browsing interface. This weakness is classified as CWE‑287 and offers no elevation of privilege or code execution; the primary consequence is a denial of service to users accessing the interface.

Affected Systems

The issue affects Esri ArcGIS Server versions 12.0 and earlier. Any deployment of these versions that exposes the undocumented administrative endpoint is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an unauthenticated attacker be able to reach the target over the network; the attack method is likely remote. While no known public exploits have been reported, the potential for service disruption remains, warranting timely remediation.

Generated by OpenCVE AI on May 20, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ArcGIS Server patch that addresses the authentication flaw.
  • Configure network or application firewalls to block or restrict access to the undocumented administrative endpoint, limiting it to trusted administrators only.
  • Audit and monitor administrative access logs for suspicious request patterns and enforce strict access controls on all administrative functions.

Generated by OpenCVE AI on May 20, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Esri
Esri arcgis Server
Vendors & Products Esri
Esri arcgis Server

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.
Title Improper Authentication issue in ArcGIS Server
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Esri Arcgis Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Esri

Published:

Updated: 2026-05-20T19:30:36.857Z

Reserved: 2026-02-19T16:37:22.095Z

Link: CVE-2026-2812

cve-icon Vulnrichment

Updated: 2026-05-20T19:30:33.045Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:36.930

Modified: 2026-05-20T20:16:36.930

Link: CVE-2026-2812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:30:39Z

Weaknesses