CVE-2026-9181 Overview
CVE-2026-9181 is a directory traversal vulnerability [CWE-22] in Esri ArcGIS Server that allows unauthenticated remote attackers to overwrite sensitive files on the underlying operating system. Attackers exploit the flaw by sending crafted path parameters over the network. Successful exploitation can lead to full administrative access to the ArcGIS Server, compromising confidentiality, integrity, and availability. The issue affects all versions of ArcGIS Server on Windows and Linux at version 12.0 and prior. ArcGIS Enterprise on Kubernetes deployments are not affected.
Critical Impact
Unauthenticated attackers can overwrite sensitive files and gain full administrative control of ArcGIS Server instances on Windows and Linux running version 12.0 or earlier.
Affected Products
- Esri ArcGIS Server (all versions on Windows and Linux, 12.0 and prior)
- Microsoft Windows deployments of ArcGIS Server
- Linux deployments of ArcGIS Server
Discovery Timeline
- 2026-07-06 - CVE-2026-9181 published to the National Vulnerability Database (NVD)
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-9181
Vulnerability Analysis
CVE-2026-9181 is a path traversal weakness in Esri ArcGIS Server. The server accepts user-supplied path parameters in HTTP requests without adequate normalization or containment. An attacker can craft input containing directory traversal sequences to escape the intended file system boundary and reach arbitrary locations on disk.
The vulnerability supports write operations, allowing an attacker to overwrite files rather than merely read them. Overwriting server configuration files, credential stores, or executable content leads to administrative takeover of the ArcGIS Server. Because exploitation requires no authentication, exposed instances are directly reachable by any network attacker.
Deployments of ArcGIS Enterprise on Kubernetes use a different architecture and are not affected. Traditional on-premises deployments on Windows Server and Linux hosts are the exposed surface.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. Path parameters supplied by unauthenticated clients are joined with a server-controlled base directory without sanitizing traversal sequences such as ../ or their encoded variants. The resulting file operation resolves outside the intended location.
Attack Vector
Exploitation occurs remotely over the network against the ArcGIS Server HTTP interface. No credentials, user interaction, or prior foothold are required. An attacker sends a crafted request containing malicious path parameters that reference files outside the ArcGIS Server root, then leverages the resulting write primitive to plant or modify files consumed by privileged server processes.
No verified public exploit code or proof-of-concept was available at the time of publication. The EPSS score of 0.727% indicates limited observed exploitation activity to date.
See the Esri Security Bulletin May 2026 for vendor technical details.
Detection Methods for CVE-2026-9181
Indicators of Compromise
- HTTP requests to ArcGIS Server endpoints containing path traversal sequences such as ../, ..\, %2e%2e%2f, or %252e%252e%252f in URL or body parameters.
- Unexpected modifications to ArcGIS Server configuration files, web application directories, or startup scripts on Windows and Linux hosts.
- New or modified administrative accounts within ArcGIS Server appearing without a corresponding change ticket.
- Outbound connections from the ArcGIS Server process to unfamiliar hosts following suspicious inbound HTTP traffic.
Detection Strategies
- Inspect web server and reverse proxy logs for traversal patterns targeting ArcGIS Server URIs and correlate with source IP reputation.
- Enable file integrity monitoring on ArcGIS Server installation directories, configuration files, and token/credential stores.
- Alert on child process creation by the ArcGIS Server service account that deviates from a known baseline.
Monitoring Recommendations
- Forward ArcGIS Server access logs, system logs, and file integrity events into a centralized analytics platform for correlation.
- Monitor for authentication events using the built-in ArcGIS administrator account, particularly from unfamiliar source addresses.
- Track version and patch state of ArcGIS Server assets to identify hosts still running vulnerable builds at or below 12.0.
How to Mitigate CVE-2026-9181
Immediate Actions Required
- Apply the fixed release referenced in the Esri May 2026 security bulletin to all ArcGIS Server instances on Windows and Linux.
- Restrict network exposure of ArcGIS Server administrative endpoints to trusted management networks and VPN users only.
- Audit ArcGIS Server file systems for unexpected changes, then rotate administrator credentials and tokens after patching.
- Review web server, load balancer, and WAF logs for historical traversal attempts against ArcGIS endpoints.
Patch Information
Esri published fixes and guidance in the Esri Security Bulletin May 2026. Administrators running ArcGIS Server 12.0 or earlier on Windows or Linux should upgrade to the vendor-designated fixed version. ArcGIS Enterprise on Kubernetes does not require action for this specific issue.
Workarounds
- Place ArcGIS Server behind a web application firewall configured to block path traversal sequences including URL-encoded and double-encoded variants.
- Enforce least privilege for the ArcGIS Server service account so that a file overwrite primitive cannot reach operating system or other application directories.
- Disable or firewall public access to non-essential ArcGIS Server endpoints until patching is complete.
# Example WAF rule concept to block traversal in ArcGIS request parameters
# ModSecurity-style pseudo-rule
SecRule REQUEST_URI|ARGS "@rx (\.\./|\.\.\\|%2e%2e%2f|%252e%252e%252f)" \
"id:1029181,phase:2,deny,status:403,\
msg:'CVE-2026-9181 ArcGIS Server path traversal attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

