Which versions of Altium Enterprise Server are affected by EUVD-2026-31148?

Altium Enterprise Server on-premise deployments face a critical credential theft vulnerability allowing any authenticated employee to extract database passwords, encryption keys, and OAuth tokens…. A patch is available.

Altium Enterprise Server EUVD-2026-31148

Q: What is the CVSS score of EUVD-2026-31148?

EUVD-2026-31148 has a CVSS 4.0 base score of 9.4 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-9129 CRITICAL

Path Traversal (CWE-22)

2026-05-20 Altium

GHSA-3qfq-f4q6-pq76

Path Traversal

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 20, 2026 - 20:05 vuln.today

Patch available

May 20, 2026 - 20:02 EUVD

DescriptionNVD

A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.

Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.

AnalysisAI

Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to escape the configured storage root via URL-encoded absolute paths in the Viewer StorageController API, exposing the master configuration containing database credentials, signing keys, certificate passwords, and OAuth secrets. The CVSS 4.0 base score of 9.4 reflects scope change to confidential information enabling full server takeover; no public exploit identified at time of analysis, but the vendor (Altium) has released a fix and cloud-hosted tenants are unaffected because they do not use the local filesystem storage component.

RemediationAI

Within 24 hours: Identify all Altium Enterprise Server on-premise deployments in your environment and contact Altium for the latest security patch details and affected version ranges. Within 7 days: Apply the vendor-released security patch to all on-premise instances and verify successful deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-31148 vulnerability details – vuln.today

Back

Altium Enterprise Server EUVD-2026-31148

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Altium Enterprise Server EUVD-2026-31148

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code