ArcGIS Server Security 2026 Update 1 Patch

Esri announces the ArcGIS Server Security 2026 Update 1 Patch. Esri recommends that all customers using ArcGIS Server 12.0, 11.5, 11.4, 11.3 and 11.1 apply this patch. This patch deals specifically with the issues listed below under Issues addressed with this patch. 

This patch can be uninstalled as outlined in the Uninstalling this patch on Windows and Uninstalling this patch on Linux sections below.

Esri recommends developing a rollback plan before installing patches. For those utilizing a highly available environment, refer to the help topic on how to apply patches in a highly available environment for guidance.

For more information on the security vulnerabilities addressed, please see the ArcGIS Trust Center announcements.

Important Note – May 4, 2026: The 11.4 version of the ArcGIS Server Security 2026 Update 1 Patch has been updated to address BUG-000184550. Please install the new setup by downloading from this page or using the ArcGIS Enterprise Patch Notification Tool. It is not necessary to uninstall the original patch; the new setup will install and replace the original patch. The new patch, when shown as available in the ArcGIS Enterprise Patch Notification tool, is listed as ArcGIS Server Security 2026 Update 1 Patch with a release date of May 4, 2026; once installed, it is listed as ArcGIS Server Security 2026 Update 1 Patch B.

• BUG-000184550 - After installing ArcGIS Server 11.4 Security 2026 Update 1 Patch, unable to publish hosted feature services in ArcGIS Enterprise portal. (11.4)
• BUG-000182853 - Incorrect warning message returned when logging into Server Manager. (12.0, 11.5)
• BUG-000182852 - ArcGIS Server has a Security Vulnerability. (12.0, 11.5, 11.4, 11.3, 11.1)
• BUG-000182380 - After installing the ArcGIS Server 11.3 Security 2025 Update 2 Patch, it is no longer possible to upload .sd files through the ArcGIS REST API endpoint. (11.3 only)
• BUG-000182112 - After installing the ArcGIS Server Security 2025 Update 2 Patch, certain non-English characters included in services may not be displayed correctly in the ArcGIS Server. (11.4, 11.3 and 11.1)
• BUG-000181250 - Cannot disable or enable ArcGIS REST Services Directory in ArcGIS Server Administrator Directory (12.0 only)
• BUG-000181179 - Restoring Knowledge Graph services using the WebGISDR tool fails. (11.3, 11.4)
• BUG-000181143 - Unvalidated Redirect in ArcGIS Server. (11.5)
• BUG-000180128 - After disaster recovery with the WebGISDR restore in a new passive standby environment, the ArcGIS Data Store object store host name is still pointing to the old object store host name in both ArcGIS Data Store (describedatastore) and ArcGIS Server data stores. (12.0 only)
• BUG-000179280 - ArcGIS Server javaw.exe does not free memory. (11.3 only)
• BUG-000176841 - Sync Tools crash when creating an offline map area for a federated ArcGIS Server site when user lacks any admin privileges. (11.3 only)

To avoid conflicts the 12.0 version also addresses:

• None

To avoid conflicts the 11.5 version also addresses:

• BUG-000180332 - Stored XSS vulnerability in ArcGIS Server.
• BUG-000180328 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000180326 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000180128 - After disaster recovery with the WebGISDR restore in a new passive standby environment, the ArcGIS Data Store object store host name is still pointing to the old object store host name in both ArcGIS Data Store (describedatastore) and ArcGIS Server data stores.
• BUG-000179710 - Hosting server unable to query and return any data from the relational data store and the ArcGIS Server log returns the error message "Hosted//FeatureServer: Ignite failed to process request".
• BUG-000179056 - Log in with OAuth Login on a SAML-only portal does not work in ArcGIS Server Administrator Directory.
• BUG-000178927 - Publishing a scene layer from a scene layer package (.slpk) file fails if the ArcGIS Server cache directory is not named 'arcgiscache'.
• BUG-000178605 - The queryBins operation with type "dateBin" on esriFieldTypeDateOnly should not use the outTimeReference parameter.
• BUG-000178604 - The queryBins and stackBy queries do not return null stackBy values.
• BUG-000178603 - The queryBins count queries with stackBy return a null stackedAttribute for each empty bin.
• BUG-000178602 - The queryBins stackBy parameter response does not return stackedAttributes with the specified field name in the query.
• BUG-000178061 - The error message "column "upperboundary" does not exist" is returned when setting the upperBoundaryAlias parameter with the queryBins operation.
• BUG-000176233 - Receive a comma in the Shape_Area output field that does not properly align with the numeric value when running the identify query in a Linux environment.
• BUG-000175256 - The publishing process will fail at the addToDefinition request if the process is too fast in highly available ArcGIS Enterprise environments.
• BUG-000173829 - Opening a scene layer in the ArcGIS REST Services Directory after upgrading to ArcGIS Enterprise 11.4 or 11.5 returns the error "Cannot invoke "com.esri.client.app.mapserver.TileDescriptor.getInputStream()" because "descriptor" is null".

To avoid conflicts the 11.4 version also addresses:

• BUG-000180332 - Stored XSS vulnerability in ArcGIS Server.
• BUG-000180331 - Stored XSS vulnerability in ArcGIS Server.
• BUG-000180329 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000180328 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000180326 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000178927 - Publishing a scene layer from a scene layer package (.slpk) file fails if the ArcGIS Server cache directory is not named 'arcgiscache'.
• BUG-000175692 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
• BUG-000173174 - There is a cross site scripting issue in ArcGIS Server.
• BUG-000173070 - Additional queries are displayed in the ArcGIS Server logs when viewing a referenced scene layer, which at times causes performance issues.
• BUG-000173043 - Requests to services running in the shared instance pool result in the 500 wait timeout error after rebooting Windows Server.
• BUG-000172966 - ArcGIS Enterprise has a security vulnerability.
• BUG-000172062 - Reflected XSS vulnerability in ArcGIS Server.

To avoid conflicts the 11.3 version also addresses:

• BUG-000180332 - Stored XSS vulnerability in ArcGIS Server.
• BUG-000180331 - Stored XSS vulnerability in ArcGIS Server.
• BUG-000180329 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000180328 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000180326 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000179512 - When a token is being authorized, a password with a specific character count set up as a stand-alone ArcGIS Server with Lightweight Directory Access Protocol (LDAP) identity store returns a blank error.
• BUG-000177069 - A service's maximum number of instances cannot be reached when there are many instances, and the CPU load is high.
• BUG-000177067 - Some instances do not start as expected when there are many instances.
• BUG-000176727 - Some service instances don't start after restoring ArcGIS Server from a backup on AWS when a cloud architecture has been used.
• BUG-000175692 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
• BUG-000175256 - The publishing process will fail at the addToDefinition request if the process is too fast in highly available ArcGIS Enterprise environments.
• BUG-000173865 - In ArcGIS Enterprise 11.3, the big data store (HDFS) validation in ArcGIS Server Manager fails with the error "[object Object]".
• BUG-000173174 - There is a cross site scripting issue in ArcGIS Server.
• BUG-000173145 - Contingent values intermittently disappear after adding new forms or creating offline areas with replicas in ArcGIS Field Maps.
• BUG-000173070 - Additional queries are displayed in the ArcGIS Server logs when viewing a referenced scene layer, which at times causes performance issues.
• BUG-000172966 - ArcGIS Enterprise has a security vulnerability.
• BUG-000172919 - Query Legends fails and returns the error, "Invalid 'size'" if no value is populated in the size parameter.
• BUG-000172062 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000171445 - Directory traversal vulnerability in ArcGIS Server
• BUG-000171444 - SQL injection vulnerability in ArcGIS Server
• BUG-000171443 - Local file inclusion (LFI) vulnerability in ArcGIS Server
• BUG-000171441 - Stored XSS in ArcGIS Server Manager
• BUG-000171439 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000171436 - Stored XSS in ArcGIS Server Rest services
• BUG-000171435 - Unauthorized access to secure services in ArcGIS Server
• BUG-000171366 - The applyEdits operations do not execute pending the completion of concurrent append operations.
• BUG-000171365 - Inconsistent maxFieldNameLength service property value after adding the first layer to the service.
• BUG-000171364 - Update definition call fails with a database error when adding a DateOnly or TimeOnly field to a layer template.
• BUG-000170994 - The thumbnails of attachments are broken when published from ArcGIS Field Maps on Android devices due to image resizing issues.
• BUG-000170201 - Unable to access the item details page but can unexpectedly access the REST endpoint of secured services not shared with the user account when assigned a custom role with at least one administrative privilege.
• BUG-000169392 - Adding new features with text field value left bracket (<) followed by an alphabet to the feature service fails when the 'rollbackOnFailure' option is false, ultimately leading to corruption of the system-maintained i-table.
• BUG-000168963 - Database connection strings inside of ArcGIS Server's dsconnections.lst files may become damaged when validating data store connections in ArcGIS Server.
• BUG-000167757 - Downloading PDF attachments larger than 5 MB fails when ArcGIS Server is installed on Linux.
• BUG-000165095 - The generateToken request references a relative path sequence in the serverUrl parameter
• BUG-000159629 - Recurring ArcGIS Server logs indicate a '.kmz.zip' file cannot be removed from the 'arcgisuploads' directory.
• BUG-000151001 - Intermittently, when opening a web application containing several services in ArcGIS Enterprise, one of the included feature services prompts for authentication, despite being shared publicly.

To avoid conflicts the 11.1 version also addresses:

• BUG-000180332 - Stored XSS vulnerability in ArcGIS Server.
• BUG-000180331 - Stored XSS vulnerability in ArcGIS Server.
• BUG-000180329 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000180328 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000180326 - Unvalidated File Upload vulnerability in ArcGIS Server.
• BUG-000175692 - Reflected cross-site scripting (XSS) vulnerability in ArcGIS Server.
• BUG-000175256 - The publishing process will fail at the addToDefinition request if the process is too fast in highly available ArcGIS Enterprise environments)
• BUG-000174931 - Feature service with Server Object Interceptor enabled on it does not release locks on a registered SQL Server geodatabase registered with ArcGIS Pro even after the feature service is stopped.
• BUG-000173174 - There is a cross site scripting issue in ArcGIS Server.
• BUG-000172966 - ArcGIS Enterprise has a security vulnerability.
• BUG-000172305 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172304 - Stored XSS in ArcGIS Server Rest services
• BUG-000172303 - Stored XSS in ArcGIS Server Rest services
• BUG-000172302 - Stored XSS in ArcGIS Server Rest services
• BUG-000172301 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172300 - Stored XSS in ArcGIS Server Rest services
• BUG-000172299 - Stored XSS in ArcGIS Server Rest services
• BUG-000172298 - Stored XSS in ArcGIS Server Rest services
• BUG-000172297 - Stored XSS in ArcGIS Server Rest services
• BUG-000172296 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172295 - Stored XSS in ArcGIS Server Rest services
• BUG-000172294 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172293 - Stored XSS issue in ArcGIS Server Manager
• BUG-000172291 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172290 - Directory traversal vulnerability in ArcGIS Server
• BUG-000172289 - Stored XSS in ArcGIS Server Rest services
• BUG-000172287 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000172062 - Reflected XSS vulnerability in ArcGIS Server.
• BUG-000171805 - In a stand-alone ArcGIS Server deployment, custom data feeds for feature services cannot be secured.
• BUG-000171445 - Directory traversal vulnerability in ArcGIS Server
• BUG-000171444 - SQL injection vulnerability in ArcGIS Server
• BUG-000171443 - Local file inclusion (LFI) vulnerability in ArcGIS Server
• BUG-000171441 - Stored XSS in ArcGIS Server Manager
• BUG-000171439 - Stored XSS in ArcGIS Server Administrator Directory
• BUG-000171436 - Stored XSS in ArcGIS Server Rest services
• BUG-000171435 - Unauthorized access to secure services in ArcGIS Server
• BUG-000171366 - The applyEdits operations do not execute pending the completion of concurrent append operations.
• BUG-000169392 - Adding new features with text field value left bracket (<) followed by an alphabet to the feature service fails when the 'rollbackOnFailure' option is false, ultimately leading to corruption of the system-maintained i-table.
• BUG-000168963 - Database connection strings inside of ArcGIS Server's dsconnections.lst files may become damaged when validating data store connections in ArcGIS Server.
• BUG-000165095 - The generateToken request references a relative path sequence in the serverUrl parameter
• BUG-000163353 - Hosted feature service stores incorrectly self-intersecting polylines as multi-part polylines.
• BUG-000162858 - Restore of Workflow Manager Server hosted services using the WebGISDR tool fails to retain _views_ services due to issue in service creation.
• BUG-000161319 - Vector tile layers sometimes display incomplete or blank tiles at certain scale levels.
• BUG-000161218 - Long running geoprocessing jobs may fail due to premature token expiration.
• BUG-000160408 - Incorrect encoding of special characters in the ArcGIS Data Store 11.1 spatiotemporal data stores.
• BUG-000160218 - Incorrect mapping of the ArcGIS data type 'Date' for hosted knowledge graphs.
• BUG-000160039 - An error "Insufficient number of object IDs allocated" occurs while editing a hosted feature service.
• BUG-000158883 - Metadata for sublayers of a hosted or non-hosted feature layer in Portal for ArcGIS returns an error, "Error transforming metadata for the layer Code: 400".
• BUG-000158047 - When making multiple requests to a map service with the returnAdvancedSymbols property being true, non-ASCII-characters are incorrectly encoded in responses after the initial request.
• BUG-000158045 - The feature service layer resources with 'returnAdvancedSymbols=true' and 'returnDomainNames=true' have inconsistent responses.
• BUG-000158036 - Non-English characters are not displayed properly in custom data feed feature service responses.
• BUG-000154221 - After installing the ArcGIS Server Security 2022 Update 1 or 2 Patch, the KML region URL of a map service is invalid.
• BUG-000147597 - ArcGIS Enterprise hosted services may fail after a machine restart.
• BUG-000121487 - Tokens in the X-Esri-Authorization request header are ignored for federated servers.

On Windows, the release date order of the patches does not matter when installing multiple patches. If an older patch is installed after a newer patch, the newer patch takes precedence and the fixes from the newer patch will remain. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.
 

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location.

Step 3: Double-click ArcGIS-<Version>-S-SEC2026U1-Patch.msp to start the setup process.

NOTE: If double clicking on the MSP file does not start the setup installation, you can start the setup installation manually by using the following command:

On Linux, the release date order of the patches matters when installing multiple patches. If an older patch is installed after a newer patch, the older patch will replace the newer patch and the fixes in the newer patch will be removed. The ArcGIS Enterprise Patch Notification tool, when the option to install all available patches is activated, installs multiple patches in order of release date starting with oldest to newest.

Complete the following install steps as the ArcGIS Install owner. The Install owner is the owner of the arcgis folder. This patch should be installed on all ArcGIS Server installations related to the ArcGIS Server site.

The ArcGIS product listed in the table must be installed on your system before you can install a patch. Each patch setup is specific to the ArcGIS product in the list. To determine which products are installed on your system, please see the How to identify which ArcGIS products are installed section. Esri recommends that you install the patch for each product that is on your system.

Step 1: Download the appropriate file to a location other than your ArcGIS installation location.

Step 2: Make sure you have write access to your ArcGIS installation location, and that no one is using ArcGIS.

Step 3: Extract the specified tar file by typing:

To uninstall this patch on Windows, open the Windows Control Panel and navigate to installed programs. Make sure that "View installed updates" (upper left side of the Programs and Features dialog) is active. Select the patch name from the programs list and click Uninstall to remove the patch.

Navigate to the <Product Installation Directory>/.Setup/qfe directory and run the following script as the ArcGIS Install owner:

Restart your ArcGIS services.

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.

PatchFinder for Windows

PatchFinder for Linux/Unix