Skip to main content

Altium Enterprise Server CVE-2026-11414

| EUVDEUVD-2026-34899 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-06-05 Altium GHSA-q7h9-qxg9-hrm3
10.0
CVSS 4.0 · Vendor: Altium
Share

Severity by source

Vendor (Altium) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (Altium) · only source for this CVE.

CVSS VectorVendor: Altium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 21:51 vuln.today
Patch available
Jun 05, 2026 - 21:01 EUVD
CVSS changed
Jun 05, 2026 - 20:22 NVD
10.0 (CRITICAL)
CVE Published
Jun 05, 2026 - 19:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials.

A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.

AnalysisAI

Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-reachable attacker to forge signed Vault download URLs using a hard-coded key shipped identically across all installations. Chained with a co-located path traversal in the same download endpoint (and optionally CVE-2026-9152 for enumeration), an attacker can read arbitrary server-side files including configuration and key material, leading to full server compromise. No public exploit identified at time of analysis; CVSS 4.0 score is 10.0 and Altium 365 SaaS is not affected because cloud deployments use object storage rather than the local filesystem.

Technical ContextAI

Altium Enterprise Server is the self-hosted version of Altium's PLM/PDM platform for electronic design data, including the Vault service used to store engineering files. The root cause is CWE-798 (Use of Hard-Coded Cryptographic Key): the Vault download endpoint signs URLs with a static key embedded in the product binary, identical across every customer install, so signatures are universally forgeable rather than tenant- or instance-specific. A second flaw in the same handler fails to canonicalize the requested storage path before resolving it against the configured storage root, permitting traditional path traversal (../ sequences) to escape into arbitrary filesystem locations readable by the service account. The vendor tag 'Hashicorp' in the intelligence feed suggests the leaked filesystem contents typically include HashiCorp-format secrets or Vault-related configuration that yields further privilege escalation paths on the host.

RemediationAI

Upgrade Altium Enterprise Server to version 8.1.1 or later, which is the vendor-released patch and the only complete remediation since the hard-coded key cannot be changed by the operator without a code-level rotation. Until the upgrade window, restrict network reachability to the Vault download endpoint at the perimeter so that only trusted engineering networks or VPN clients can issue download requests - this blocks the signature-forgery path but also blocks legitimate remote designers, so plan for user impact. As a stop-gap layered control, place a reverse proxy or WAF in front of the server to drop requests whose path component contains traversal sequences (../, encoded variants %2e%2e, double-encoded ..%252f) and log download endpoint hits for offline review; this does not stop signature forgery for in-scope files but does shut down the arbitrary-file-read leg used to harvest key material. After patching, rotate any credentials, API tokens, or HashiCorp/Vault secrets that resided on the filesystem of an exposed server, since you must assume those have been read. The vendor advisory index is at https://www.altium.com/platform/security-compliance/security-advisories.

Share

CVE-2026-11414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy