Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames in the MCAD and Simulation file download flows. A regular authenticated user can submit a collaboration message containing a crafted filename, which is later used to construct the download path on the server without validation, allowing arbitrary files to be read from the server filesystem.
Because the readable files include the server's master configuration, which stores credentials for privileged accounts, exploitation can lead to authenticating as a system administrator and gaining full control of the server. Altium 365 cloud deployments are not affected.
AnalysisAI
Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated low-privileged user to traverse the server filesystem via crafted filenames in MCAD and Simulation download flows. Because retrievable files include the master configuration holding privileged credentials, the bug escalates to full administrative takeover of the on-premises server. No public exploit identified at time of analysis, and Altium 365 cloud tenants are explicitly out of scope.
Technical ContextAI
Altium Enterprise Server is the self-hosted PLM/PDM backend used by engineering teams for collaborative PCB and mechanical CAD design data management. The vulnerability is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in the Collaboration Service: filenames embedded in collaboration messages travel through the MCAD and Simulation file-download code paths and are concatenated into a server-side path without canonicalization or allow-list validation. Per the CPE (cpe:2.3:a:altium:altium_enterprise_server:*) all versions of the on-premises product before 8.1.1 are in scope, while the Altium 365 SaaS offering is architecturally different and not affected.
RemediationAI
Vendor-released patch: upgrade Altium Enterprise Server to version 8.1.1 or later, as published on the Altium security advisories page at https://www.altium.com/platform/security-compliance/security-advisories. Until the upgrade can be applied, restrict who can obtain Collaboration Service accounts and tightly limit network reachability of the on-prem server to trusted engineering subnets, since PR:L means any authenticated user is sufficient - note this hurts legitimate distributed collaboration. As an additional compensating control, rotate any credentials stored in the server's master configuration after patching on the assumption they may have been read, and audit Collaboration message logs for unusual filename patterns containing '../' or absolute path fragments in MCAD/Simulation download requests; this audit is best-effort and may miss obfuscated payloads. Altium 365 cloud customers require no action.
More in Altium Enterprise Server
View allRemote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal
Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-re
Arbitrary file write in Altium Enterprise Server ComparisonService allows authenticated workspace users to escape the te
Arbitrary file read in Altium Enterprise Server on-premise deployments allows any authenticated low-privilege user to es
Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 al
Authenticated path traversal in Altium Enterprise Server (before 8.1.1) and Altium 365 lets a low-privileged user read a
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34915
GHSA-8mjc-gx82-2m9v