Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (Altium) · only source for this CVE.
CVSS VectorVendor: Altium
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials.
A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.
AnalysisAI
Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-reachable attacker to forge signed Vault download URLs using a hard-coded key shipped identically across all installations. Chained with a co-located path traversal in the same download endpoint (and optionally CVE-2026-9152 for enumeration), an attacker can read arbitrary server-side files including configuration and key material, leading to full server compromise. No public exploit identified at time of analysis; CVSS 4.0 score is 10.0 and Altium 365 SaaS is not affected because cloud deployments use object storage rather than the local filesystem.
Technical ContextAI
Altium Enterprise Server is the self-hosted version of Altium's PLM/PDM platform for electronic design data, including the Vault service used to store engineering files. The root cause is CWE-798 (Use of Hard-Coded Cryptographic Key): the Vault download endpoint signs URLs with a static key embedded in the product binary, identical across every customer install, so signatures are universally forgeable rather than tenant- or instance-specific. A second flaw in the same handler fails to canonicalize the requested storage path before resolving it against the configured storage root, permitting traditional path traversal (../ sequences) to escape into arbitrary filesystem locations readable by the service account. The vendor tag 'Hashicorp' in the intelligence feed suggests the leaked filesystem contents typically include HashiCorp-format secrets or Vault-related configuration that yields further privilege escalation paths on the host.
RemediationAI
Upgrade Altium Enterprise Server to version 8.1.1 or later, which is the vendor-released patch and the only complete remediation since the hard-coded key cannot be changed by the operator without a code-level rotation. Until the upgrade window, restrict network reachability to the Vault download endpoint at the perimeter so that only trusted engineering networks or VPN clients can issue download requests - this blocks the signature-forgery path but also blocks legitimate remote designers, so plan for user impact. As a stop-gap layered control, place a reverse proxy or WAF in front of the server to drop requests whose path component contains traversal sequences (../, encoded variants %2e%2e, double-encoded ..%252f) and log download endpoint hits for offline review; this does not stop signature forgery for in-scope files but does shut down the arbitrary-file-read leg used to harvest key material. After patching, rotate any credentials, API tokens, or HashiCorp/Vault secrets that resided on the filesystem of an exposed server, since you must assume those have been read. The vendor advisory index is at https://www.altium.com/platform/security-compliance/security-advisories.
More in Altium Enterprise Server
View allRemote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the te
Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated
Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to es
Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 al
Authenticated path traversal in Altium Enterprise Server (before 8.1.1) and Altium 365 lets a low-privileged user read a
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34899
GHSA-q7h9-qxg9-hrm3