Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypasses validation, allowing arbitrary files (including entire directories returned as archives) to be read from the server filesystem.
Because the readable files include service configuration and credential material, exploitation can be used to gather information enabling further compromise. The issue can be combined with CVE-2026-11424 to reach the cloud-side endpoint. On multi-tenant Altium 365 deployments, the readable configuration could have exposed credentials shared across services. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.
AnalysisAI
Authenticated path traversal in Altium Enterprise Server (before 8.1.1) and Altium 365 lets a low-privileged user read arbitrary files - including service configuration and credential material - via a crafted path parameter to the Projects Service download endpoint. No public exploit is identified at time of analysis, but the flaw is chainable with CVE-2026-11424 to reach the cloud-side endpoint, and on multi-tenant Altium 365 deployments the leaked credentials could be shared across services, sharply amplifying blast radius.
Technical ContextAI
The vulnerability is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in a download handler within the Projects Service shared between the on-prem Altium Enterprise Server (cpe:2.3:a:altium:altium_enterprise_server) and the SaaS Altium 365 (cpe:2.3:a:altium:altium_365) - both PLM/ECAD collaboration platforms used by hardware engineering teams to store schematics, libraries, and project artifacts. Input validation on a user-supplied path parameter fails to canonicalize or constrain traversal sequences, so the endpoint resolves filesystem locations outside the intended project storage root. Because the endpoint also supports returning directories as archives, a single request can exfiltrate entire configuration trees rather than one file at a time, magnifying the disclosure impact relative to a typical single-file read primitive.
RemediationAI
Vendor-released patch: Altium Enterprise Server 8.1.1 - upgrade on-prem deployments to 8.1.1 or later immediately, per the Altium advisory at https://www.altium.com/platform/security-compliance/security-advisories. Altium 365 has been remediated server-side by the vendor, so SaaS customers require no action for the fix itself, but should rotate any credentials, API tokens, or service secrets that may have been stored in the Projects Service configuration before the patch date, since the flaw enabled disclosure of credential material with potential cross-tenant reach. As a compensating control for organizations that cannot upgrade Enterprise Server immediately, restrict the Projects Service download endpoint to known IP ranges via reverse-proxy ACLs and tighten account provisioning so PR:L cannot be casually obtained - accept that this breaks legitimate remote project downloads. Also review and remediate the chained CVE-2026-11424 if the deployment is internet-exposed.
More in Altium Enterprise Server
View allRemote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal
Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-re
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the te
Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated
Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to es
Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 al
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34919
GHSA-96xj-rmhf-c584