CVE-2026-1446 Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in Esri ArcGIS Pro versions 3.6.0 and earlier. This vulnerability allows a local attacker to supply malicious strings into ArcGIS Pro, which may execute when a specific dialog is opened. The vulnerability requires user interaction to trigger, as malicious scripts are executed when a user opens a particular dialog within the application.
Critical Impact
Local attackers can inject malicious scripts that execute within the context of ArcGIS Pro when users interact with specific dialogs, potentially leading to information disclosure and limited integrity impact.
Affected Products
- Esri ArcGIS Pro versions 3.6.0 and earlier
Discovery Timeline
- January 26, 2026 - CVE-2026-1446 published to NVD
- January 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1446
Vulnerability Analysis
This vulnerability is classified as Cross-Site Scripting (CWE-79), which occurs when an application fails to properly sanitize user-supplied input before rendering it in an output context. In the case of ArcGIS Pro, malicious strings can be injected locally and subsequently execute when specific dialogs are opened within the application.
The attack requires local access to the system and user interaction, as the malicious payload only triggers when the victim opens a particular dialog. Successful exploitation could allow an attacker to execute arbitrary scripts within the application context, potentially leading to disclosure of sensitive information or modification of data displayed to the user.
Root Cause
The vulnerability stems from improper input validation and insufficient sanitization of user-supplied strings within ArcGIS Pro. When these strings are processed and rendered in the context of specific dialogs, the application fails to properly encode or escape potentially malicious content, allowing script execution.
Attack Vector
The attack vector is local, meaning an attacker must have local access to the system to inject malicious strings into ArcGIS Pro. The exploitation scenario involves the following:
- An attacker with local access crafts malicious strings containing XSS payloads
- These strings are introduced into ArcGIS Pro through input fields or configuration data
- When a legitimate user opens a specific dialog that renders these strings, the malicious script executes
- The script runs within the application context, potentially accessing sensitive information or performing unauthorized actions
The vulnerability enables script execution that could lead to limited confidentiality and integrity impacts within the scope of the application, potentially affecting other components beyond the vulnerable application itself.
Detection Methods for CVE-2026-1446
Indicators of Compromise
- Unusual or unexpected script content within ArcGIS Pro configuration files or project data
- Suspicious strings containing JavaScript or HTML tags in user-controlled input fields
- Unexpected network connections or data exfiltration attempts originating from ArcGIS Pro processes
Detection Strategies
- Monitor ArcGIS Pro log files for evidence of script execution errors or unusual activity when dialogs are opened
- Implement file integrity monitoring on ArcGIS Pro project files and configuration directories
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious behavior from the ArcGISPro.exe process
Monitoring Recommendations
- Enable verbose logging within ArcGIS Pro to capture dialog interactions and input processing events
- Configure security information and event management (SIEM) rules to alert on potential XSS patterns in ArcGIS-related logs
- Regularly audit user-supplied content and project files for suspicious script-like content
How to Mitigate CVE-2026-1446
Immediate Actions Required
- Upgrade to ArcGIS Pro 3.6.1 immediately, which contains the fix for this vulnerability
- Review any shared ArcGIS Pro projects or configuration files for potentially malicious content before opening
- Restrict local access to systems running ArcGIS Pro to authorized users only
Patch Information
Esri has released ArcGIS Pro 3.6.1 which addresses this vulnerability. The patch is available through the official Esri distribution channels. Organizations should prioritize upgrading all ArcGIS Pro installations to version 3.6.1 or later. For detailed patch information, refer to the Esri ArcGIS Pro 3.6.1 Patch release notes.
Workarounds
- Limit local access to systems running ArcGIS Pro to trusted users only until the patch can be applied
- Exercise caution when opening ArcGIS Pro projects or files from untrusted sources
- Implement application whitelisting to prevent unauthorized script execution within the ArcGIS Pro environment
Until patching is complete, organizations should exercise heightened awareness when using ArcGIS Pro and avoid opening projects or data from untrusted sources.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
