Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.
Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.
AnalysisAI
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the temporary upload directory and plant files anywhere on the host filesystem via crafted multipart Content-Disposition headers in the Gerber upload APIs. The flaw (CVSS 4.0 score 9.4, CWE-22) escalates to remote code execution by dropping payloads into web-accessible paths or overwriting service binaries, and a vendor patch is available. No public exploit identified at time of analysis.
Technical ContextAI
Altium Enterprise Server is the on-premises collaboration and PLM backend for Altium Designer PCB workflows, exposing REST/multipart APIs for engineering artifacts including Gerber CAM files. The ComparisonService accepts uploaded Gerber files via multipart/form-data, and the filename field of the Content-Disposition header is consumed without canonicalization or sanitization before being joined to the temporary upload directory path. This is a textbook CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) where '../' sequences or absolute paths in the filename traverse outside the intended sandbox, allowing the application - running as the service account - to perform attacker-controlled writes anywhere the process has filesystem permissions, including web roots, scheduled task directories, or binary install paths.
RemediationAI
Vendor-released patch: Altium Enterprise Server 8.0.4 - upgrade all instances to 8.0.4 or later, consulting the vendor advisory index at https://www.altium.com/platform/security-compliance/security-advisories for release notes and upgrade procedure. If immediate patching is not feasible, restrict ComparisonService and Gerber upload API endpoints at the reverse proxy or WAF to block multipart requests whose Content-Disposition filename contains path separators, '..', or absolute paths (trade-off: legitimate filenames with unusual characters may be rejected), and tighten workspace user provisioning so only vetted accounts can authenticate to the server while you stage the upgrade. Additionally constrain the service account's filesystem permissions to its required directories and audit web-served directories for unexpected files to detect prior exploitation.
More in Altium Enterprise Server
View allRemote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal
Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-re
Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated
Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to es
Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 al
Authenticated path traversal in Altium Enterprise Server (before 8.1.1) and Altium 365 lets a low-privileged user read a
Same weakness CWE-22 – Path Traversal
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31146
GHSA-396j-87wm-36mh