CVE-2026-11419: Altium Enterprise Server Path Traversal – Arbitrary File Write
Altium Enterprise Server contains a flaw in how it validates file paths when users upload images. An authenticated attacker can bypass the normal storage location restrictions and write files anywhere on the server's filesystem. This primitive can be weaponized to inject malicious code, take over the service, or crash it entirely. Cloud-hosted Altium 365 deployments are not vulnerable because the vulnerable upload endpoint is not exposed in that architecture.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-22, CWE-434
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11419 is a path traversal vulnerability in the Altium Enterprise Server Vault Service UploadController. The flaw stems from insufficient validation of a user-controlled path parameter in image upload requests. An authenticated attacker can supply a crafted absolute path that discards the configured storage root, enabling arbitrary file writes to any location writable by the service account. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 score of 8.8 (HIGH severity) reflects high impact across confidentiality, integrity, and availability, with low attack complexity and only low privilege requirements (authenticated user).
Business impact
Organizations running Altium Enterprise Server on-premises face material risk of service compromise. An attacker with valid credentials—whether obtained through phishing, credential stuffing, or insider access—can write executable files to web-accessible directories to achieve remote code execution, modify application binaries or configuration to alter system behavior, or corrupt critical files to cause denial of service. The impact extends to downstream design workflows and intellectual property security if the attacker exfiltrates or alters sensitive CAD files stored on affected systems.
Affected systems
Only Altium Enterprise Server on-premises deployments are affected. The vulnerability resides in the UploadController of the Vault Service. Altium 365 cloud customers are not impacted because the vulnerable endpoint is not exposed in the cloud architecture, and cloud storage design inherently mitigates arbitrary file-write primitives. Verify your deployment model and Altium version against the official vendor advisory.
Exploitability
Exploitation requires valid authentication to the Altium Enterprise Server—the attacker must be an already-authenticated user. The attack itself requires no user interaction and does not depend on a specific system configuration; the vulnerability is intrinsic to the UploadController logic. CVSS vector reflects these factors: AV:N (network-accessible), AC:L (low complexity), PR:L (low privilege—authenticated user), UI:N (no user interaction). Because exploitation is straightforward once authenticated, threat actors with credentials pose a credible risk.
Remediation
The primary remediation is to apply a patched version of Altium Enterprise Server from the vendor. Pending patches, network segmentation and access controls should be strengthened: restrict who can authenticate to the server, enforce strong multi-factor authentication for administrative and service accounts, and limit the service account's filesystem permissions to only directories and files required for normal operation. Monitor upload activity for suspicious path patterns or unexpected file writes outside the configured vault storage directory.
Patch guidance
Check the official Altium vendor advisory and security bulletins for the exact patched version numbers applicable to your Enterprise Server version. Apply patches promptly to any on-premises Altium Enterprise Server instances. Before patching, capture baseline filesystem permissions and monitor post-patch behavior to ensure no configuration drift. Verify patches in a staging environment matching your production configuration.
Detection guidance
Monitor UploadController request logs for absolute paths or path traversal sequences (e.g., ../, ..\ patterns) in image upload parameters. Review filesystem access logs on the Altium Enterprise Server host for unexpected file writes or modifications outside the configured vault storage root, especially to sensitive directories such as application bin, web-root, or system directories. Correlation between suspicious upload requests and subsequent file-write events is a strong indicator of exploitation attempts.
Why prioritize this
This vulnerability merits urgent priority because it combines (1) high exploitability with only authentication as a barrier, (2) high impact—from RCE to denial of service, (3) presence in a design-critical application that enterprises often deploy on-premises in trusted-but-not-isolated networks, and (4) the absence of mitigating factors (cloud deployments unaffected, but on-prem remains vulnerable). Organizations should patch immediately if on-premises Altium Enterprise Server is in scope.
Risk score, explained
The CVSS 8.8 HIGH severity reflects the intersection of: (i) low barrier to exploitation (any authenticated user, no special system configuration), (ii) high confidentiality, integrity, and availability impact (arbitrary file write enables RCE, service takeover, DoS), (iii) network accessibility, and (iv) low privilege requirements. The score accurately captures the risk from both insider and externally-compromised-credential scenarios. Context-specific risk may be higher if the service account runs with elevated privileges or if the Altium server is internet-facing.
Frequently asked questions
Does this affect Altium 365 (cloud)?
No. Altium 365 cloud deployments are explicitly not vulnerable. The affected UploadController endpoint is not reachable in cloud architectures, and cloud storage design prevents the arbitrary file-write primitive.
Can the attacker write files without authentication?
No. CVE-2026-11419 requires a valid authenticated user session. However, a compromised credential—via phishing, password reuse, or insider access—is sufficient to trigger the attack.
What is the difference between this and a simple unrestricted file upload?
This is specifically a path traversal flaw: the attacker is not just uploading a file, but bypassing the intended storage directory by supplying an absolute path. The impact is file-write primitives anywhere on the filesystem, not merely in an upload folder.
How urgent is the patch?
Very urgent. The ease of exploitation (low complexity, intrinsic vulnerability, high impact) combined with on-premises deployment patterns means threat actors with valid credentials pose an immediate risk. Patch as soon as tested patches are available.
This analysis is provided for informational purposes and reflects publicly disclosed information as of the publication date. Patch version numbers, vendor advisories, and availability of fixes should be verified directly with Altium's official security bulletins. Organizations should conduct their own risk assessment based on deployment topology, credential controls, and asset criticality. SEC.co makes no warranty regarding the completeness or accuracy of this vulnerability intelligence and assumes no liability for actions taken based on this analysis. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2018-25409HIGHSIM-PKH 2.4.1 Arbitrary File Upload Leading to Remote Code Execution
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10072HIGHDreamMaker Arbitrary File Upload RCE Vulnerability
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11344HIGHUnrestricted File Upload in code-projects Vehicle Management System 1.0
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers