CVE-2026-9181
Esri · ArcGIS Server
ArcGIS Server is affected by a directory traversal vulnerability that allows unauthenticated attackers to access sensitive files on the host system via crafted path parameters.
Executive summary
A critical directory traversal vulnerability in Esri ArcGIS Server allows unauthenticated remote attackers to read sensitive system files, posing a significant risk to organizational data.
Vulnerability
This vulnerability (CWE-22) arises from improper limitation of pathnames to a restricted directory. An unauthenticated attacker can supply malicious path parameters to the server, allowing them to bypass access restrictions and read arbitrary files from the underlying system.
Business impact
With a CVSS score of 9.8, this flaw represents a critical exposure of sensitive information. Unauthorized access to files could lead to the compromise of configuration secrets, credentials, or proprietary data, which may then facilitate further attacks against the infrastructure.
Remediation
Immediate Action: Apply the relevant security updates provided in the May 2026 ArcGIS Security Bulletin to patch the directory traversal flaw.
Proactive Monitoring: Audit server access logs for requests containing directory traversal sequences (e.g., "../") directed at ArcGIS endpoints.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block incoming requests containing path traversal sequences or non-standard characters in parameters.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The severity and exploitability of this vulnerability necessitate immediate patching. Administrators must review the Esri security bulletin and deploy the required updates to all instances of ArcGIS Server to mitigate the risk of unauthorized file disclosure and potential system compromise.