Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.
Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.
AnalysisAI
Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to escape the configured storage root via URL-encoded absolute paths in the Viewer StorageController API, exposing the master configuration containing database credentials, signing keys, certificate passwords, and OAuth secrets. The CVSS 4.0 base score of 9.4 reflects scope change to confidential information enabling full server takeover; no public exploit identified at time of analysis, but the vendor (Altium) has released a fix and cloud-hosted tenants are unaffected because they do not use the local filesystem storage component.
Technical ContextAI
The defect is a classic CWE-22 path traversal in the StorageController route handler, which accepts a file-path route parameter intended to be resolved relative to a configured storage root. Because URL-decoding occurs after the framework's traversal/canonicalization checks (or those checks are absent), an encoded absolute path such as a percent-encoded drive letter (e.g. %43%3a or %2F) is reinterpreted as rooted, discarding the storage prefix and letting the underlying filesystem API open any file the service account can read. The affected CPE cpe:2.3:a:altium:altium_enterprise_server:*:*:*:*:*:*:*:* covers the on-premise product line; cloud deployments back the Viewer with object storage and do not load the vulnerable controller path.
RemediationAI
Upgrade on-premise Altium Enterprise Server to version 8.0.4 or later per the vendor advisory at https://www.altium.com/platform/security-compliance/security-advisories (Vendor-released patch: 8.0.4). Until the upgrade can be staged, restrict network access to the Viewer/Storage API endpoints to trusted administrative networks only, revoke or tightly scope low-privilege user accounts that can authenticate to the server, and consider running the service under a least-privilege OS account whose filesystem read scope excludes the master configuration directory (note: this may break legitimate signing or OAuth flows that need to load those files, so test before enforcing). After patching, rotate all secrets stored in the master configuration - database credentials, code-signing key passphrases, TLS certificate passwords, and OAuth client secrets - because any pre-patch read may have exfiltrated them undetected.
More in Altium Enterprise Server
View allRemote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal
Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-re
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the te
Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated
Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 al
Authenticated path traversal in Altium Enterprise Server (before 8.1.1) and Altium 365 lets a low-privileged user read a
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31148
GHSA-3qfq-f4q6-pq76