ArcGIS Server Security 2026 Update 2 Patch has been released here.
This patch resolves Critical and Medium Severity vulnerabilities in ArcGIS Server versions 12.0 and prior.
This patch was released May 27th, 2026. We strongly encourage ArcGIS Enterprise customers apply this patch within the next two weeks to minimize risk.
Important Notes:
- Cumulative – This patch is cumulative and does not require that you install any previous ArcGIS Server Security patches prior to installing this patch – Using the Patch Notification Utility can help ease this process. This patch is NOT dependent on other patches to be in place.
Note: This patch does not include fixes for issues previously addressed in ArcGIS Feature Server or Map Server vulnerabilities. It addresses issues in the ArcGIS Server application framework. - Mitigation – In order to mitigate these vulnerabilities, we strongly recommend all ArcGIS Enterprise customers install this patch as soon as possible.
Vulnerability Details
- Description: ArcGIS Server contains a directory traversal vulnerability. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow access to sensitive files on the system. This issue impacts all versions of ArcGIS Server 12.0 and prior.
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- Base CVSSv3.1: 9.8
- Temporal CVSSv3.1: 9.4
- Affected: ArGIS Server 12.0 and prior.
- Description: ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload.
- CWE-434 Unrestricted Upload of File with Dangerous Type
- Base CVSSv3.1: 5.3
- Temporal CVSSv3.1: 5.1
- Affected: ArcGIS Server 12.0 and prior.
Commenting is not enabled for this article.