Skip to main content

Altium Enterprise Server CVE-2026-9129

| EUVDEUVD-2026-31148 CRITICAL
Path Traversal (CWE-22)
2026-05-20 Altium GHSA-3qfq-f4q6-pq76
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 20, 2026 - 20:05 vuln.today
Patch available
May 20, 2026 - 20:02 EUVD

DescriptionCVE.org

A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.

Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.

AnalysisAI

Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to escape the configured storage root via URL-encoded absolute paths in the Viewer StorageController API, exposing the master configuration containing database credentials, signing keys, certificate passwords, and OAuth secrets. The CVSS 4.0 base score of 9.4 reflects scope change to confidential information enabling full server takeover; no public exploit identified at time of analysis, but the vendor (Altium) has released a fix and cloud-hosted tenants are unaffected because they do not use the local filesystem storage component.

Technical ContextAI

The defect is a classic CWE-22 path traversal in the StorageController route handler, which accepts a file-path route parameter intended to be resolved relative to a configured storage root. Because URL-decoding occurs after the framework's traversal/canonicalization checks (or those checks are absent), an encoded absolute path such as a percent-encoded drive letter (e.g. %43%3a or %2F) is reinterpreted as rooted, discarding the storage prefix and letting the underlying filesystem API open any file the service account can read. The affected CPE cpe:2.3:a:altium:altium_enterprise_server:*:*:*:*:*:*:*:* covers the on-premise product line; cloud deployments back the Viewer with object storage and do not load the vulnerable controller path.

RemediationAI

Upgrade on-premise Altium Enterprise Server to version 8.0.4 or later per the vendor advisory at https://www.altium.com/platform/security-compliance/security-advisories (Vendor-released patch: 8.0.4). Until the upgrade can be staged, restrict network access to the Viewer/Storage API endpoints to trusted administrative networks only, revoke or tightly scope low-privilege user accounts that can authenticate to the server, and consider running the service under a least-privilege OS account whose filesystem read scope excludes the master configuration directory (note: this may break legitimate signing or OAuth flows that need to load those files, so test before enforcing). After patching, rotate all secrets stored in the master configuration - database credentials, code-signing key passphrases, TLS certificate passwords, and OAuth client secrets - because any pre-patch read may have exfiltrated them undetected.

Share

CVE-2026-9129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy