Skip to main content

Altium Enterprise Server CVE-2026-11424

| EUVDEUVD-2026-34917 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-05 Altium GHSA-v97p-56pc-586g
8.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 23:51 vuln.today
Patch available
Jun 05, 2026 - 23:01 EUVD
CVSS changed
Jun 05, 2026 - 22:22 NVD
8.3 (HIGH)
CVE Published
Jun 05, 2026 - 20:51 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation or destination filtering. The response body is then returned to the user.

This allows an authenticated attacker to reach internal services and metadata endpoints that would not otherwise be accessible from the public network, and to retrieve their contents. The impact is information disclosure and internal infrastructure reconnaissance; the request primitive is limited to HTTP GET with no custom headers. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

AnalysisAI

Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 allows authenticated users to coerce the server into issuing arbitrary outbound HTTP GET requests and receiving the response body. The flaw enables reconnaissance of internal services and cloud metadata endpoints not reachable from the public network. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in a GraphQL service component shared between the on-premise Altium Enterprise Server (cpe:2.3:a:altium:altium_enterprise_server) and the Altium 365 cloud platform (cpe:2.3:a:altium:altium_365). It is classified as CWE-918 (SSRF): a user-supplied input that should be a constrained identifier is instead trusted as a URL and passed to the server's HTTP client without scheme, host, or destination allowlisting. Because the response body is reflected back to the requester, the GraphQL endpoint becomes a generic outbound HTTP GET proxy, which on a cloud-hosted deployment such as Altium 365 typically exposes IMDS-style metadata services (e.g., 169.254.169.254) as well as internal microservices bound to private RFC1918 ranges.

RemediationAI

Vendor-released patch: upgrade Altium Enterprise Server to version 8.1.1 or later, per the Altium security advisory at https://www.altium.com/platform/security-compliance/security-advisories. Altium 365 customers do not need to take action - the vendor has already remediated the issue at the service level. If immediate patching of an on-premise Enterprise Server is not possible, compensating controls include placing the server behind an egress firewall that denies outbound HTTP to RFC1918 ranges and cloud metadata IPs (notably 169.254.169.254 and fd00:ec2::254), enforcing IMDSv2 with hop-limit 1 on AWS hosts so the GET-only primitive cannot retrieve a session token, and restricting which authenticated principals can call the affected GraphQL operations via reverse-proxy ACLs. The egress filter has the side effect of breaking any legitimate server-initiated HTTP calls to internal systems, which should be inventoried before enforcement.

Share

CVE-2026-11424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy