Skip to main content

Altium Enterprise Server CVE-2026-11431

| EUVDEUVD-2026-34919 HIGH
Path Traversal (CWE-22)
2026-06-05 Altium GHSA-96xj-rmhf-c584
8.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 23:50 vuln.today
Patch available
Jun 05, 2026 - 23:01 EUVD
CVSS changed
Jun 05, 2026 - 22:22 NVD
8.3 (HIGH)
CVE Published
Jun 05, 2026 - 21:08 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypasses validation, allowing arbitrary files (including entire directories returned as archives) to be read from the server filesystem.

Because the readable files include service configuration and credential material, exploitation can be used to gather information enabling further compromise. The issue can be combined with CVE-2026-11424 to reach the cloud-side endpoint. On multi-tenant Altium 365 deployments, the readable configuration could have exposed credentials shared across services. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

AnalysisAI

Authenticated path traversal in Altium Enterprise Server (before 8.1.1) and Altium 365 lets a low-privileged user read arbitrary files - including service configuration and credential material - via a crafted path parameter to the Projects Service download endpoint. No public exploit is identified at time of analysis, but the flaw is chainable with CVE-2026-11424 to reach the cloud-side endpoint, and on multi-tenant Altium 365 deployments the leaked credentials could be shared across services, sharply amplifying blast radius.

Technical ContextAI

The vulnerability is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in a download handler within the Projects Service shared between the on-prem Altium Enterprise Server (cpe:2.3:a:altium:altium_enterprise_server) and the SaaS Altium 365 (cpe:2.3:a:altium:altium_365) - both PLM/ECAD collaboration platforms used by hardware engineering teams to store schematics, libraries, and project artifacts. Input validation on a user-supplied path parameter fails to canonicalize or constrain traversal sequences, so the endpoint resolves filesystem locations outside the intended project storage root. Because the endpoint also supports returning directories as archives, a single request can exfiltrate entire configuration trees rather than one file at a time, magnifying the disclosure impact relative to a typical single-file read primitive.

RemediationAI

Vendor-released patch: Altium Enterprise Server 8.1.1 - upgrade on-prem deployments to 8.1.1 or later immediately, per the Altium advisory at https://www.altium.com/platform/security-compliance/security-advisories. Altium 365 has been remediated server-side by the vendor, so SaaS customers require no action for the fix itself, but should rotate any credentials, API tokens, or service secrets that may have been stored in the Projects Service configuration before the patch date, since the flaw enabled disclosure of credential material with potential cross-tenant reach. As a compensating control for organizations that cannot upgrade Enterprise Server immediately, restrict the Projects Service download endpoint to known IP ranges via reverse-proxy ACLs and tighten account provisioning so PR:L cannot be casually obtained - accept that this breaks legitimate remote project downloads. Also review and remediate the chained CVE-2026-11424 if the deployment is internet-exposed.

Share

CVE-2026-11431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy