Skip to main content

Altium Enterprise Server CVE-2026-9102

| EUVDEUVD-2026-31146 CRITICAL
Path Traversal (CWE-22)
2026-05-20 Altium GHSA-396j-87wm-36mh
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 20, 2026 - 20:04 vuln.today
Patch available
May 20, 2026 - 20:02 EUVD

DescriptionCVE.org

A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.

Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.

AnalysisAI

Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the temporary upload directory and plant files anywhere on the host filesystem via crafted multipart Content-Disposition headers in the Gerber upload APIs. The flaw (CVSS 4.0 score 9.4, CWE-22) escalates to remote code execution by dropping payloads into web-accessible paths or overwriting service binaries, and a vendor patch is available. No public exploit identified at time of analysis.

Technical ContextAI

Altium Enterprise Server is the on-premises collaboration and PLM backend for Altium Designer PCB workflows, exposing REST/multipart APIs for engineering artifacts including Gerber CAM files. The ComparisonService accepts uploaded Gerber files via multipart/form-data, and the filename field of the Content-Disposition header is consumed without canonicalization or sanitization before being joined to the temporary upload directory path. This is a textbook CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) where '../' sequences or absolute paths in the filename traverse outside the intended sandbox, allowing the application - running as the service account - to perform attacker-controlled writes anywhere the process has filesystem permissions, including web roots, scheduled task directories, or binary install paths.

RemediationAI

Vendor-released patch: Altium Enterprise Server 8.0.4 - upgrade all instances to 8.0.4 or later, consulting the vendor advisory index at https://www.altium.com/platform/security-compliance/security-advisories for release notes and upgrade procedure. If immediate patching is not feasible, restrict ComparisonService and Gerber upload API endpoints at the reverse proxy or WAF to block multipart requests whose Content-Disposition filename contains path separators, '..', or absolute paths (trade-off: legitimate filenames with unusual characters may be rejected), and tighten workspace user provisioning so only vetted accounts can authenticate to the server while you stage the upgrade. Additionally constrain the service account's filesystem permissions to its required directories and audit web-served directories for unexpected files to detect prior exploitation.

Share

CVE-2026-9102 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy