CVE-2026-2812— Improper Authentication issue in ArcGIS Server
Possible ATT&CK Techniques 3AI
T1078 · Valid Accounts T1496 · Resource Hijacking T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Esri | ArcGIS Server | 11.1≤ 12.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-2812
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Authentication issue in ArcGIS Server
Source: NVD (National Vulnerability Database)
Vulnerability Description
ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Esri ArcGIS Server 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 12.0及之前版本存在授权问题漏洞,该漏洞源于未记录的行政端点存在身份验证不当,可能导致未经身份验证的攻击者通过发送特制请求利用此问题,成功利用可能导致基于Web的浏览界面中断。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Esri | ArcGIS Server | 11.1 ~ 12.0 | - |
II. Public POCs for CVE-2026-2812
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-2812
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: ArcGIS Server
- CVE-2026-2813
Unvalidated Redirect in ArcGIS Server - CVE-2025-67711
Reflected XSS vulnerability in ArcGIS Server. - CVE-2025-67710
Stored XSS vulnerability in ArcGIS Server - CVE-2025-67709
There is a cross site scripting issue in ArcGIS Server. - CVE-2025-67708
Reflected cross-site scripting (XSS) vulnerability in ArcGIS
Same vendor: Esri
- CVE-2026-2813
Unvalidated Redirect in ArcGIS Server - CVE-2026-33519
Incorrect privilege assignment in Portal for ArcGIS - CVE-2026-33518
Incorrect privilege assignment in Portal for ArcGIS - CVE-2026-1446
XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier - CVE-2025-67711
Reflected XSS vulnerability in ArcGIS Server.
Same weakness: CWE-287
- CVE-2026-44058
Authentication bypass via admin auth user - CVE-2026-40165
authentik: SAML NameID XML Comment Injection Enables Authent - CVE-2026-9084
MISP OIDC authentication bypass via automatic email-based ac - CVE-2026-6456
Account Switcher <= 1.0.2 - Authenticated (Subscriber+) Auth - CVE-2026-45434
Apache OFBiz: Authentication Bypass via Password-Change Logi
V. Comments for CVE-2026-2812
No comments yet