Back to overview

CVE-2026-11429

CRITICAL
10.0
CVSS 4.0
Description
Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation, allowing arbitrary files to be written to any location writable by the service account. Because the file write operation completes before authentication is validated, the vulnerability can be exploited without any credentials, session, or prior knowledge of the system. An unauthenticated network attacker can use this primitive to place executable content in directories where it is later executed by the service, resulting in remote code execution under the Vault Service account. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 (commercial and government cloud) at the service level.

Metadata

CVE ID
CVE-2026-11429
State
PUBLISHED
Assigner
Altium
Reserved
2026-06-05 20:52 UTC
Published
2026-06-05 21:01 UTC
Last updated
2026-06-09 16:06 UTC
Primary CWE
CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product
Altium / Altium Enterprise Server
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (2)
VendorProductPlatformVersions
Altium Altium 365 Web unspecified
Altium Altium Enterprise Server Web 0 < 8.1.1
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-306 cna CWE-306 Missing Authentication for Critical Function
CVSS scores (1)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References (1)
Back to overview