Skip to main content

Altium Enterprise Server EUVDEUVD-2026-34913

| CVE-2026-11419 CRITICAL
Path Traversal (CWE-22)
2026-06-05 4760f414-e1ae-4ff1-bdad-c7a9c3538b79 GHSA-6hrc-72jv-9cp2
9.4
CVSS 4.0 · Vendor: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
Share

Severity by source

Vendor (4760f414-e1ae-4ff1-bdad-c7a9c3538b79) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (4760f414-e1ae-4ff1-bdad-c7a9c3538b79) · only source for this CVE.

CVSS VectorVendor: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 22:01 EUVD
Analysis Generated
Jun 05, 2026 - 20:31 vuln.today

DescriptionCVE.org

A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account.

Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive.

AnalysisAI

Arbitrary file write in the Altium Enterprise Server Vault Service allows authenticated users to escape the configured storage root via the UploadController image upload endpoint and place content-controlled files anywhere the service account can write. The flaw (CVSS 4.0 base 9.4, CWE-22) escalates to remote code execution, service takeover, or denial of service by overwriting application binaries, configuration files, or dropping payloads in web-accessible directories. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.

Technical ContextAI

The Vault Service is the on-premises content/document storage backbone of the Altium Enterprise Server (formerly Altium Concord Pro / NEXUS Server), used by PCB and electronics design teams to manage component libraries and design data. The UploadController image handler accepts a user-controlled path fragment that is concatenated with the configured storage root without normalization or boundary enforcement; supplying an absolute path causes standard path-join semantics to discard the prefix, producing a classic CWE-22 (Path Traversal) primitive that resolves to an unconstrained write. Because the write inherits the Vault Service account's filesystem privileges, it reaches anywhere that identity can write - typically the application install directory, IIS or service web roots, and on-disk configuration. Altium 365 SaaS is unaffected because the vulnerable endpoint is not externally reachable and the cloud tier uses object storage rather than a writable local filesystem.

RemediationAI

Patch availability per vendor advisory should be confirmed against the Altium security advisories portal at https://www.altium.com/platform/security-compliance/security-advisories, as no exact fix version is included in the supplied data and no vendor-released patch version is independently confirmed here. Until a verified build is applied, restrict network reachability of the Vault Service UploadController to trusted management networks via firewall or reverse-proxy ACLs, audit and reduce the population of accounts that hold upload privileges (revoking unused or shared Vault credentials), and run the Vault Service under a least-privileged account that lacks write access to the web root, the Altium install directory, and configuration files - accepting the trade-off that overly tight ACLs may break legitimate upload, indexing, or update flows. Where feasible for the organization's workflow, migrating affected on-premises deployments to Altium 365 removes exposure because the vulnerable endpoint is not reachable there.

Share

EUVD-2026-34913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy