CVE-2026-2812
published 2026-05-20CVE-2026-2812: ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this…
PriorityP336medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.36%
27.9th percentile
ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esri | arcgis_server | 11.1 – 12.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Esri ArcGIS Server up to 12.0 Endpoint improper authentication
vuldb·2026-05-20·CVSS 5.3
CVE-2026-2812 [MEDIUM] Esri ArcGIS Server up to 12.0 Endpoint improper authentication
A vulnerability was found in Esri ArcGIS Server up to 12.0 and classified as critical. The affected element is an unknown function of the component Endpoint. Executing a manipulation can lead to improper authentication.
This vulnerability is tracked as CVE-2026-2812. The attack can be launched remotely. No exploit exists.
GHSA
GHSA-3wjj-6pp2-788h: ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint
ghsa_unreviewed·2026-05-20
CVE-2026-2812 [MEDIUM] CWE-287 GHSA-3wjj-6pp2-788h: ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint
ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-20
Published