ESRI Enterprise Vulnerability for Tomcat - CVE-2026-29146

vipulsoni

Greetings All,

we have received multiple alerts from Cybersecurity Team for the - CVE-2026-29146, tomcat software present in almost all the Esri Enterprise Products. 11.3 and 11.5 installations of ArcGIS Server and ArcGIS Portal, ArcGIS Data Store. I am unable to find any ESRI Patch or Document stating the vulnerability mitigation patch or the affect of this vulnerability to ESRI Enterprise Software Suite.

SoftwareName	SoftwareVersion	CveId	EvidencePaths
tomcat	9.0.84.0	CVE-2026-29146	["c:\\program files\\arcgis\\server\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar"]
tomcat	9.0.84.0	CVE-2026-29146	["c:\\program files\\arcgis\\datastore\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar","c:\\program files\\arcgis\\portal\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar","c:\\program files\\arcgis\\server\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar"]
tomcat	10.1.34.0	CVE-2026-29146	["c:\\program files\\arcgis\\server\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar"]
tomcat	10.1.34.0	CVE-2026-29146	["c:\\program files\\arcgis\\server\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar"]
tomcat	10.1.34.0	CVE-2026-29146	["c:\\program files\\arcgis\\server\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar"]
tomcat	10.1.34.0	CVE-2026-29146	["c:\\program files\\arcgis\\server\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar"]
tomcat	9.0.84.0	CVE-2026-29146	["c:\\program files\\arcgis\\datastore\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar","c:\\program files\\arcgis\\server\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar"]
tomcat	9.0.62.0	CVE-2026-29146	["c:\\program files\\arcgis\\datastore\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar","c:\\program files\\arcgis\\server\\framework\\runtime\\tomcat\\bin\\tomcat-juli.jar"]