External risk intelligence

ArcGIS Server Directory Traversal Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-9181

ArcGIS Server is commonly deployed as an internet-facing web application or API gateway to serve geospatial data and mapping services, making its network-accessible interfaces frequently exposed to the public internet in standard production environments.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical directory traversal vulnerability in ArcGIS Server that could allow an unauthenticated attacker to access sensitive files on the system by sending specially crafted requests.

  • Unauthenticated access to sensitive system files.
  • Potential for broad data compromise.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to ArcGIS Server. These requests would leverage a directory traversal flaw to access sensitive files on the server, potentially leading to unauthorized information disclosure and system compromise.

  • Network access required for the attacker.
  • Crafted path parameters trigger the flaw.
  • Sensitive file access and system compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to access sensitive files on the system. This is possible when specially crafted path parameters are sent to an affected ArcGIS Server.

  • System files could be accessed.
  • Via crafted path parameters.
  • Unauthorized access to sensitive data.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world ownership of this directory traversal vulnerability in ArcGIS Server likely falls to infrastructure or platform teams responsible for the server's operation, with coordination from security and application owners to identify critical instances. The first practical step is to locate all ArcGIS Server deployments, assess their exposure and business criticality, and then assign the issue to the accountable owner for risk-based remediation planning.

  • Infrastructure or platform teams own the issue.
  • Verify server exposure and business criticality first.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ArcGIS Server?

ArcGIS Server is enterprise software used to host, manage, and share geospatial data, maps, and analytic tools over the web. It functions as a backend system that allows organizations to provide interactive mapping services and spatial data processing capabilities to internal and external users via web-based applications.

What is the vulnerability in CVE-2026-9181?

This CVE involves a directory traversal weakness, classified as CWE-22. It occurs when an application fails to properly sanitize user-supplied input used in file path lookups. By manipulating these paths, an attacker can trick the server into accessing files or directories outside of the intended, restricted location, potentially leading to unauthorized data disclosure.

How does an attacker trigger CVE-2026-9181?

An attacker triggers this issue by sending specifically crafted network requests containing malicious path parameters to the server. Simply browsing the site or performing standard administrative tasks does not trigger the flaw. The vulnerability requires the submission of these intentionally malformed inputs to successfully traverse the file directory structure.

Is my ArcGIS Server deployment at risk?

According to Halo Surface Signal, ArcGIS Server is frequently deployed as an internet-facing gateway to provide mapping services, making it a common target. If your instance is accessible from the public internet, it faces a higher likelihood of being reachable by unauthorized actors. Instances isolated within internal networks are typically at lower risk from external network-based exploitation.

What should I do if I run ArcGIS Server?

First, conduct a comprehensive audit to identify all active ArcGIS Server deployments in your environment. Evaluate each server based on its business criticality and network exposure. Once identified, coordinate with your infrastructure and security teams to prioritize these assets for remediation, focusing on those most exposed to network traffic while you review vendor guidance for updates.

References