CVE-2026-2813 Overview
CVE-2026-2813 is an input validation weakness in the login redirection workflow of Esri ArcGIS Server 11.5. An authenticated attacker can craft a request that causes the application to redirect a user's browser to an untrusted external site. Successful exploitation requires user interaction and produces a limited confidentiality impact within the client-side navigation logic. The flaw remains confined to the authentication boundary and does not enable server-side compromise or cross-component impact.
Critical Impact
Attackers can leverage the trusted ArcGIS Server domain to redirect authenticated users to attacker-controlled sites, supporting phishing and credential theft campaigns.
Affected Products
- Esri ArcGIS Server 11.5
Discovery Timeline
- 2026-05-20 - CVE CVE-2026-2813 published to NVD
- 2026-05-20 - Last updated in NVD database
- Vendor advisory published in the Esri Security Bulletin April 2026
Technical Details for CVE-2026-2813
Vulnerability Analysis
The vulnerability resides in the client-side navigation logic that processes redirection parameters after authentication. ArcGIS Server fails to validate the destination URL supplied during the login workflow. An authenticated attacker can submit a specially crafted request that includes an attacker-controlled destination.
When a user follows the manipulated link and completes authentication, the browser is redirected to an unintended, untrusted site. The redirection occurs within the same security boundary as the authentication flow. No server-side state or cross-component data is exposed during the redirect.
The issue maps to improper input validation in URL handling, commonly tracked as an open redirect [CWE-601]. The impact is limited to confidentiality because the destination site may capture referrer data or stage credential harvesting against users who trust the originating ArcGIS Server domain.
Root Cause
The root cause is missing allowlist validation on the post-login redirect target. The application accepts user-supplied URLs without verifying that the destination resolves to a known, trusted ArcGIS Server resource. This allows arbitrary external URLs to pass through the redirect parameter.
Attack Vector
Exploitation requires network access, authenticated privileges to craft the request, and user interaction to follow the resulting link. The attacker distributes the crafted login URL through phishing or other social engineering channels. When the victim clicks the link and authenticates, the ArcGIS Server returns a redirect response pointing to the attacker's site.
The trusted ArcGIS Server hostname in the initial URL increases the likelihood that users complete the workflow. Subsequent pages on the attacker-controlled domain can mimic ArcGIS interfaces to harvest credentials or session data.
Detection Methods for CVE-2026-2813
Indicators of Compromise
- Authentication requests containing redirect or return-URL parameters pointing to external, non-ArcGIS domains.
- HTTP 30x responses from ArcGIS Server endpoints with Location headers referencing untrusted hosts.
- Spikes in outbound referrer traffic from ArcGIS Server login pages to unfamiliar domains.
Detection Strategies
- Inspect web server and reverse proxy logs for login workflow URLs containing fully qualified external URLs in redirect parameters.
- Correlate authentication events with subsequent HTTP redirects to domains outside the organization's allowlist.
- Deploy URL reputation checks at the proxy layer to flag redirects from ArcGIS Server to newly registered or low-reputation domains.
Monitoring Recommendations
- Enable verbose access logging on ArcGIS Server authentication endpoints and forward logs to a centralized SIEM.
- Alert on user reports of unexpected post-login navigation or login pages that do not match the legitimate ArcGIS interface.
- Track phishing telemetry for lures that abuse legitimate ArcGIS Server URLs as initial entry points.
How to Mitigate CVE-2026-2813
Immediate Actions Required
- Apply the security update referenced in the Esri Security Bulletin April 2026 to ArcGIS Server 11.5 deployments.
- Restrict redirect parameters at the reverse proxy or web application firewall until the patch is deployed.
- Educate ArcGIS Server users about phishing campaigns that leverage trusted application URLs.
Patch Information
Esri addresses the input validation weakness in the patch released through the April 2026 security bulletin. Administrators should consult the vendor advisory for version-specific patch identifiers and apply the update to all ArcGIS Server 11.5 instances.
Workarounds
- Configure the reverse proxy or WAF to strip or validate redirect, next, and similar parameters in login URLs.
- Enforce an allowlist of internal hostnames for post-login destinations at the network gateway.
- Disable or restrict externally accessible login endpoints where feasible until patching is complete.
# Example WAF rule fragment to block external redirect targets
# Adjust syntax to match your WAF vendor (ModSecurity shown)
SecRule ARGS:redirect_uri "!@beginsWith https://arcgis.internal.example.com/" \
"id:1002813,phase:2,deny,status:400,msg:'CVE-2026-2813 external redirect blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
