CVE-2026-2813 - Vulnerability Details

- Unvalidated Redirect in ArcGIS Server

Description

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulting in a limited confidentiality impact under specific user interaction conditions.
The vulnerability affects only the client side navigation logic during authentication and remains confined to the same security boundary. No server side compromise or cross component impact is possible. This issue affects ArcGIS Server 11.5.

Published: 2026-05-20

Score: 4.7 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

ArcGIS Server includes an input validation weakness in the login redirection workflow. An authenticated attacker can exploit this by sending a specially crafted request that causes the application to redirect the browser to an unintended, untrusted site. The vulnerability results in a limited confidentiality impact if the user interacts with the redirected page. This flaw does not permit server‑side compromise or broader cross‑component damage.

Affected Systems

Esri ArcGIS Server 11.5 is the only version known to be affected by this vulnerability. No other software or version ranges are listed as impacted.

Risk and Exploitability

The CVSS score of 4.7 places this issue in the moderate range, and the EPSS score is not available which indicates insufficient data on current exploitation activity. The vulnerability requires the attacker to be authenticated and relies on client‑side navigation logic, limiting the attack surface. It is not listed in CISA’s KEV catalog, underscoring that while the flaw can lead to phishing‑style redirection, it is unlikely to be frequently exploited in the wild.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Esri

ArcGIS Server

unaffected

Version	Status	Constraints
`11.5`	affected	—

No data.

Vendor Product Confidence Versions

Esri

Arcgis Server

100%

Version	Status	Scheme	Platform
`11.5`	affected	generic	['windows', 'linux']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update ArcGIS Server to the latest version or to a release that includes the redirect validation fix.
Configure the server or web client to whitelist redirect destinations, limiting URLs to trusted domains only, and remove any user‑supplied redirect parameters from the login flow.
Add firewall or application‑layer filtering to detect and block attempts to inject malicious redirect URLs in authentication requests, and monitor logs for unusual redirect attempts.

Generated by OpenCVE AI on May 20, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin

History

Wed, 20 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Esri Esri arcgis Server
Weaknesses		CWE-601
Vendors & Products		Esri Esri arcgis Server

Wed, 20 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 20 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulting in a limited confidentiality impact under specific user interaction conditions. The vulnerability affects only the client side navigation logic during authentication and remains confined to the same security boundary. No server side compromise or cross component impact is possible. This issue affects ArcGIS Server 11.5.
Title		Unvalidated Redirect in ArcGIS Server
References		https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}`

Subscriptions

Esri Arcgis Server

MITRE

Status: PUBLISHED

Assigner: Esri

Published: 2026-05-20T17:51:51.061Z

Updated: 2026-05-20T19:29:23.736Z

Reserved: 2026-02-19T16:37:23.274Z

Link: CVE-2026-2813

Vulnrichment

Updated: 2026-05-20T19:29:19.935Z

NVD

Status : Received

Published: 2026-05-20T20:16:37.087

Modified: 2026-05-20T20:16:37.087

Link: CVE-2026-2813

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-20T20:30:39Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object