Back to overview

CVE-2026-14439

CRITICAL
9.4
CVSS 4.0
Description
A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area. This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1. The issue has been remediated across Altium 365 shared multi-tenant deployments at the service level; remediation is in progress on remaining Altium 365 deployments.

Metadata

CVE ID
CVE-2026-14439
State
PUBLISHED
Assigner
Altium
Reserved
2026-07-01 22:14 UTC
Published
2026-07-01 23:05 UTC
Last updated
2026-07-02 12:25 UTC
Primary CWE
CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product
Altium / Altium Enterprise Server
Sources
cve.org  ·  NVD

Severity & Metrics

9.4 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (2)
VendorProductPlatformVersions
Altium Altium 365 Web unspecified
Altium Altium Enterprise Server Web 0 < 8.1.1
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-94 cna CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.4 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Back to overview