Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (4760f414-e1ae-4ff1-bdad-c7a9c3538b79) · only source for this CVE.
CVSS VectorVendor: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account.
Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive.
AnalysisAI
Arbitrary file write in the Altium Enterprise Server Vault Service allows authenticated users to escape the configured storage root via the UploadController image upload endpoint and place content-controlled files anywhere the service account can write. The flaw (CVSS 4.0 base 9.4, CWE-22) escalates to remote code execution, service takeover, or denial of service by overwriting application binaries, configuration files, or dropping payloads in web-accessible directories. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.
Technical ContextAI
The Vault Service is the on-premises content/document storage backbone of the Altium Enterprise Server (formerly Altium Concord Pro / NEXUS Server), used by PCB and electronics design teams to manage component libraries and design data. The UploadController image handler accepts a user-controlled path fragment that is concatenated with the configured storage root without normalization or boundary enforcement; supplying an absolute path causes standard path-join semantics to discard the prefix, producing a classic CWE-22 (Path Traversal) primitive that resolves to an unconstrained write. Because the write inherits the Vault Service account's filesystem privileges, it reaches anywhere that identity can write - typically the application install directory, IIS or service web roots, and on-disk configuration. Altium 365 SaaS is unaffected because the vulnerable endpoint is not externally reachable and the cloud tier uses object storage rather than a writable local filesystem.
RemediationAI
Patch availability per vendor advisory should be confirmed against the Altium security advisories portal at https://www.altium.com/platform/security-compliance/security-advisories, as no exact fix version is included in the supplied data and no vendor-released patch version is independently confirmed here. Until a verified build is applied, restrict network reachability of the Vault Service UploadController to trusted management networks via firewall or reverse-proxy ACLs, audit and reduce the population of accounts that hold upload privileges (revoking unused or shared Vault credentials), and run the Vault Service under a least-privileged account that lacks write access to the web root, the Altium install directory, and configuration files - accepting the trade-off that overly tight ACLs may break legitimate upload, indexing, or update flows. Where feasible for the organization's workflow, migrating affected on-premises deployments to Altium 365 removes exposure because the vulnerable endpoint is not reachable there.
More in On Prem Enterprise Server
View allUnauthenticated arbitrary file write and read in the Network Installation Service (NIS) component of Altium Enterprise S
AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic f
Stored XSS in Altium Workflow Engine allows authenticated users to inject malicious scripts into workflow forms that exe
HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attac
A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker
Same weakness CWE-22 – Path Traversal
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34913
GHSA-6hrc-72jv-9cp2