Skip to main content

Altium Enterprise Server EUVDEUVD-2026-34915

| CVE-2026-11423 CRITICAL
Path Traversal (CWE-22)
2026-06-05 Altium GHSA-8mjc-gx82-2m9v
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 23:15 vuln.today
Patch available
Jun 05, 2026 - 22:01 EUVD
CVSS changed
Jun 05, 2026 - 21:22 NVD
9.4 (CRITICAL)
CVE Published
Jun 05, 2026 - 20:12 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames in the MCAD and Simulation file download flows. A regular authenticated user can submit a collaboration message containing a crafted filename, which is later used to construct the download path on the server without validation, allowing arbitrary files to be read from the server filesystem.

Because the readable files include the server's master configuration, which stores credentials for privileged accounts, exploitation can lead to authenticating as a system administrator and gaining full control of the server. Altium 365 cloud deployments are not affected.

AnalysisAI

Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated low-privileged user to traverse the server filesystem via crafted filenames in MCAD and Simulation download flows. Because retrievable files include the master configuration holding privileged credentials, the bug escalates to full administrative takeover of the on-premises server. No public exploit identified at time of analysis, and Altium 365 cloud tenants are explicitly out of scope.

Technical ContextAI

Altium Enterprise Server is the self-hosted PLM/PDM backend used by engineering teams for collaborative PCB and mechanical CAD design data management. The vulnerability is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in the Collaboration Service: filenames embedded in collaboration messages travel through the MCAD and Simulation file-download code paths and are concatenated into a server-side path without canonicalization or allow-list validation. Per the CPE (cpe:2.3:a:altium:altium_enterprise_server:*) all versions of the on-premises product before 8.1.1 are in scope, while the Altium 365 SaaS offering is architecturally different and not affected.

RemediationAI

Vendor-released patch: upgrade Altium Enterprise Server to version 8.1.1 or later, as published on the Altium security advisories page at https://www.altium.com/platform/security-compliance/security-advisories. Until the upgrade can be applied, restrict who can obtain Collaboration Service accounts and tightly limit network reachability of the on-prem server to trusted engineering subnets, since PR:L means any authenticated user is sufficient - note this hurts legitimate distributed collaboration. As an additional compensating control, rotate any credentials stored in the server's master configuration after patching on the assumption they may have been read, and audit Collaboration message logs for unusual filename patterns containing '../' or absolute path fragments in MCAD/Simulation download requests; this audit is best-effort and may miss obfuscated payloads. Altium 365 cloud customers require no action.

Share

EUVD-2026-34915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy