CVE-2026-9182 Overview
CVE-2026-9182 is an unrestricted file upload vulnerability [CWE-434] in Esri ArcGIS Server. An unauthenticated remote attacker can upload a crafted file to an affected endpoint without providing credentials. Successful exploitation enables arbitrary file upload to the server, which can facilitate follow-on attacks including code execution and lateral movement.
The issue affects all versions of ArcGIS Server on Windows and Linux up to and including version 12.0. ArcGIS Enterprise for Kubernetes is not affected.
Critical Impact
An unauthenticated attacker can upload arbitrary files to ArcGIS Server over the network, providing a foothold for further compromise of geospatial infrastructure.
Affected Products
- Esri ArcGIS Server on Windows (all versions ≤ 12.0)
- Esri ArcGIS Server on Linux (all versions ≤ 12.0)
- ArcGIS Enterprise for Kubernetes is not affected
Discovery Timeline
- 2026-07-06 - CVE-2026-9182 published to the National Vulnerability Database (NVD)
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-9182
Vulnerability Analysis
CVE-2026-9182 stems from missing validation of files uploaded to an exposed ArcGIS Server endpoint. The server accepts attacker-controlled file content without verifying the file type, extension, or content signature before writing it to disk. Because the vulnerable endpoint does not require authentication, any network-reachable attacker can trigger the upload path.
Unrestricted file upload flaws [CWE-434] are commonly chained with web-accessible storage paths to achieve remote code execution. An attacker who places an executable script, web shell, or configuration file into a directory served by the application can convert the primitive into full server compromise. The advisory also notes that the upload primitive can enable "other attacks," indicating impact beyond simple file storage.
Root Cause
The root cause is the absence of server-side controls on the upload endpoint. ArcGIS Server does not enforce authentication, file-type allow-listing, MIME validation, or path restrictions on the affected route. This design flaw permits an attacker to write attacker-chosen content to attacker-influenced locations on the host filesystem.
Attack Vector
Exploitation requires only network access to the ArcGIS Server HTTP interface. No user interaction and no prior privileges are needed. An attacker sends a crafted HTTP request containing a malicious payload to the vulnerable upload endpoint. Details of the endpoint and the crafted request are withheld by Esri; refer to the Esri ArcGIS Security Bulletin for vendor guidance.
No public proof-of-concept code is available at the time of publication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-9182
Indicators of Compromise
- Unexpected files written to ArcGIS Server web-accessible directories, particularly executable extensions (.jsp, .aspx, .war, .sh, .bat) or archive files in upload paths
- HTTP POST or PUT requests to ArcGIS Server upload endpoints from unauthenticated sources or unusual IP addresses
- ArcGIS Server processes (ArcSOC.exe, javaw.exe, node.exe) spawning shells, cmd.exe, powershell.exe, or /bin/sh
- Outbound network connections initiated by ArcGIS Server processes to unknown external hosts
Detection Strategies
- Inspect web server and ArcGIS access logs for anomalous multipart form-data uploads or large POST bodies to administrative endpoints
- Correlate file-write events under ArcGIS installation directories with the parent process and originating HTTP request
- Deploy YARA rules for common web shell signatures on ArcGIS Server hosts and staging directories
- Alert on ArcGIS service accounts executing interpreters or scripting engines that fall outside baseline behavior
Monitoring Recommendations
- Enable verbose HTTP request logging on the ArcGIS Web Adaptor and reverse proxies fronting ArcGIS Server
- Forward ArcGIS Server, IIS, Apache, or Nginx logs to a centralized SIEM for retention and correlation
- Monitor filesystem changes in ArcGIS content directories using file integrity monitoring (FIM)
- Track process creation events with parent-child relationships from ArcGIS service accounts
How to Mitigate CVE-2026-9182
Immediate Actions Required
- Apply the fixed release identified in the May 2026 ArcGIS Security Bulletin to all ArcGIS Server instances running version 12.0 or earlier on Windows and Linux
- Inventory all internet-exposed ArcGIS Server deployments and prioritize patching of externally reachable hosts
- Review ArcGIS content and upload directories for unrecognized files created since the affected versions were deployed
- Rotate credentials, tokens, and service account passwords used by ArcGIS Server if evidence of upload activity is found
Patch Information
Esri has released a fixed version as part of the May 2026 ArcGIS Security Bulletin. Administrators should consult the Esri ArcGIS Security Bulletin for the specific patched build corresponding to their deployment. ArcGIS Enterprise for Kubernetes deployments do not require action for this issue.
Workarounds
- Restrict network access to ArcGIS Server administrative and upload endpoints using firewall rules or reverse proxy ACLs until patching is complete
- Place ArcGIS Server behind an authenticated reverse proxy or Web Application Firewall (WAF) that blocks unauthenticated POST requests to upload paths
- Enforce least-privilege permissions on the ArcGIS service account so writes are limited to non-executable directories
- Disable or remove any unused ArcGIS Server endpoints and services that are not required for production workloads
# Example: block unauthenticated access to ArcGIS admin/upload paths at the reverse proxy (Nginx)
location ~* /arcgis/(admin|rest/services)/.*/upload {
allow 10.0.0.0/8; # internal management range
deny all;
proxy_pass https://arcgis-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

