Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area.
This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.
AnalysisAI
Remote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal flaw in the shared Git Service component, which processes post-clone file-manipulation operations using user-supplied paths without validation. An authenticated user with basic git permissions can move arbitrary files outside the repository area, drop attacker-controlled scripts into directories the service later executes, and on multi-tenant Altium 365 infrastructure could have reached data belonging to other tenants on the same node. No public exploit identified at time of analysis, and EPSS sits at 0.44% (63rd percentile).
Technical ContextAI
The vulnerability lives in the Git Service component shared across Altium's cloud (Altium 365, cpe:2.3:a:altium:altium_365) and on-premises (Altium Enterprise Server, cpe:2.3:a:altium:altium_enterprise_server) PCB/EDA collaboration platforms. After a successful git clone, the service runs a sequence of file-manipulation operations whose source and destination paths are taken from user-supplied input and never canonicalized or constrained to the repository root - a textbook CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) condition. Because the Git Service runs as a privileged backend identity and hosts content for many repositories (and, on Altium 365, many tenants), traversal sequences such as '..' segments allow an authenticated client to write files into arbitrary filesystem locations that the service itself later loads or executes.
RemediationAI
On-premises operators should upgrade Altium Enterprise Server to 8.1.1 or later, which is the vendor-released patch and the only fully supported fix. Altium 365 customers are already covered because Altium has remediated the shared Git Service in production, but should still confirm via the advisories portal at https://www.altium.com/platform/security-compliance/security-advisories. If immediate patching of Altium Enterprise Server is not possible, compensating controls include tightly restricting which accounts are granted basic git access to the Enterprise Server (since exploitation requires an authenticated git user per the description), placing the Git Service behind a network segment reachable only by trusted engineering hosts, and enabling filesystem-level auditing on the Git Service account to alert on unexpected writes outside repository storage paths - note these controls reduce but do not eliminate risk from insider abuse or stolen credentials.
More in Altium Enterprise Server
View allUnauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-re
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the te
Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated
Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to es
Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 al
Authenticated path traversal in Altium Enterprise Server (before 8.1.1) and Altium 365 lets a low-privileged user read a
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34918
GHSA-f7c8-3j67-9q8x