CVE-2026-9181: Unauthenticated Directory Traversal in ArcGIS Server
An unauthenticated attacker can exploit CVE-2026-9181, a critical directory traversal vulnerability in ArcGIS Server versions 12.0 and prior, by sending crafted path parameters to access sensitive files, leading to unauthorized information disclosure.
ArcGIS Server, a core component of Esri's enterprise geospatial platform, is vulnerable to a critical directory traversal (CWE-22) identified as CVE-2026-9181. This vulnerability affects all versions up to and including 12.0. An unauthenticated attacker can remotely exploit this flaw by submitting specially crafted path parameters within HTTP requests. Successful exploitation grants the attacker the ability to read arbitrary files from the underlying server's file system, potentially leading to the exposure of sensitive configuration files, credentials, or other critical data. This poses a significant risk to the confidentiality of organizations utilizing vulnerable ArcGIS Server deployments. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).
Attack Chain
- An unauthenticated attacker identifies an internet-facing ArcGIS Server instance running a vulnerable version (12.0 or prior).
- The attacker constructs a malicious HTTP request containing specially crafted path parameters (e.g.,
../,..%2f) targeting specific endpoints on the ArcGIS Server. - This crafted request exploits the directory traversal vulnerability (CWE-22) in ArcGIS Server's request handling logic.
- The server incorrectly resolves the malicious path, allowing the request to access files and directories outside the intended web root or application sandbox.
- The attacker can then specify the names of sensitive files (e.g., configuration files, system logs, user data) on the server's file system.
- ArcGIS Server retrieves and returns the content of these sensitive files to the attacker, leading to unauthorized information disclosure.
- The attacker exfiltrates the accessed sensitive data for further analysis or exploitation.
Impact
If exploited, CVE-2026-9181 could lead to severe data breaches, compromising the confidentiality and potentially the integrity of systems hosting ArcGIS Server. Attackers could gain access to configuration files containing database credentials, API keys, or other sensitive information, which could then be used for further lateral movement or privilege escalation within the network. This directly impacts organizations relying on ArcGIS Server for critical mapping and spatial data operations, potentially across various sectors including government, critical infrastructure, and defense. The unauthenticated nature and high CVSS score indicate a significant risk, as exploitation does not require any prior access or legitimate user credentials.
Recommendation
- Immediately patch all ArcGIS Server instances to a version that addresses CVE-2026-9181 as per the vendor advisory from Esri.
- Review web server access logs for ArcGIS Server (found in
/var/log/apache2/access.logfor Apache, or IIS logs on Windows) for signs of directory traversal attempts, specifically requests containing../,..%2f, or similar path manipulation sequences in the URI. - Ensure proper network segmentation and firewall rules are in place to limit exposure of ArcGIS Server instances to untrusted networks, complementing the patching for
CVE-2026-9181.