CVE-2026-11424 | A server-side request forgery (SSRF) vulnerability exists in… | CVSS 8.3 HIGH

Description

A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation or destination filtering. The response body is then returned to the user. This allows an authenticated attacker to reach internal services and metadata endpoints that would not otherwise be accessible from the public network, and to retrieve their contents. The impact is information disclosure and internal infrastructure reconnaissance; the request primitive is limited to HTTP GET with no custom headers. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

Metadata

CVE ID: CVE-2026-11424
State: PUBLISHED
Assigner: Altium
Reserved: 2026-06-05 20:20 UTC
Published: 2026-06-05 20:51 UTC
Last updated: 2026-06-08 13:11 UTC
Primary CWE: CWE-918
CWE-918 Server-Side Request Forgery (SSRF)
Vendor / Product: Altium / Altium Enterprise Server
Sources: cve.org · NVD

Severity & Metrics

8.3 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (2)

Vendor	Product	Platform	Versions
Altium	Altium 365	Web	unspecified
Altium	Altium Enterprise Server	Web	0 < 8.1.1

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-918	cna	CWE-918 Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.3	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References (1)

https://www.altium.com/platform/security-compliance/security-advisories