Volerion logoVolerion
Volerion logoVolerion

Esri ArcGIS Server Improper Authentication Vulnerability in Undocumented Administrative Endpoint

Vulnerability

A vulnerability allowing improper authentication has been identified in ArcGIS Server versions 12.0 and earlier. This issue resides within an undocumented administrative endpoint, where an unauthenticated attacker can send a crafted request to disrupt the web-based browsing interface. While the exploitation of this vulnerability does not affect service availability, API access, or data confidentiality, it may lead to a low-severity integrity impact by disabling the Services Directory web interface.

Impact

Exploitation of this vulnerability can disrupt the web-based browsing interface, specifically by disabling the Services Directory. However, it does not impact service availability, API access, or data confidentiality.

Remediation

Users are advised to update to ArcGIS Server Security 2026 Update 1 Patch, which is available through the Esri Patches and Updates page. This patch should be installed as soon as possible to minimize risk.

Added: May 20, 2026, 9:00 PM
Updated: May 20, 2026, 9:00 PM

Vulnerability Rating

Custom Algorithm
spread
5.0
impact
2.5
exploitability
6.8
remediation
7.7
relevance
8.9
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.