Skip to main content

Altium Enterprise Server CVE-2026-11420

| EUVDEUVD-2026-34914 CRITICAL
Path Traversal (CWE-22)
2026-06-05 4760f414-e1ae-4ff1-bdad-c7a9c3538b79 GHSA-q58x-mgvc-jhw9
10.0
CVSS 4.0 · Vendor: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
Share

Severity by source

Vendor (4760f414-e1ae-4ff1-bdad-c7a9c3538b79) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (4760f414-e1ae-4ff1-bdad-c7a9c3538b79) · only source for this CVE.

CVSS VectorVendor: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 22:01 EUVD
Analysis Generated
Jun 05, 2026 - 20:31 vuln.today

DescriptionCVE.org

Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. No authentication, session, or credentials are required.

Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, exploitation can be escalated to remote code execution in the context of the service account, and can disclose deployment package contents. Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering.

AnalysisAI

Unauthenticated arbitrary file write and read in the Network Installation Service (NIS) component of Altium Enterprise Server enables remote attackers to overwrite binaries or configuration, drop content into web-accessible directories, and exfiltrate package archives - escalating to remote code execution as the service account. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high impact across confidentiality, integrity, availability and scope) reflects a worst-case unauthenticated network primitive. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.

Technical ContextAI

The flaw resides in the Network Installation Service (NIS), an on-premises component of Altium Enterprise Server used to distribute installation/deployment packages to client workstations across an engineering network. Two CWE-22 path traversal weaknesses in the NIS request handlers fail to canonicalize or constrain user-supplied paths, so attacker-controlled '..' sequences (or absolute paths) reach the underlying filesystem APIs on both write and read code paths. Because NIS runs as a privileged Windows service account with broad filesystem rights and typically co-locates with the Altium web UI directories, an attacker can both stage payloads into webroot/binary locations and harvest proprietary deployment archives. CPE data was not supplied with this submission, so exact affected versions must be confirmed from the vendor advisory.

RemediationAI

Apply the vendor-released update for Altium Enterprise Server as soon as it is published - consult https://www.altium.com/platform/security-compliance/security-advisories for the exact fixed build (specific version not provided in the input data, so do not assume a number). Until patched, the most effective compensating control is to restrict network reachability of the NIS endpoint to a trusted management segment via host firewall or network ACL, since the service has no authentication layer to harden; this will break Altium client installation workflows for users outside that segment and should be coordinated with engineering IT. As a secondary mitigation, monitor the NIS service account's filesystem for unexpected writes into webroot, Program Files, or service configuration directories, and alert on creation of executable or scripting files there. Migrating eligible workloads to Altium 365 cloud avoids the vulnerable component entirely but is a significant operational change rather than a short-term fix.

Share

CVE-2026-11420 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy