Security Advisories

Description

A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypasses validation, allowing arbitrary files (including entire directories returned as archives) to be read from the server filesystem.

Because the readable files include service configuration and credential material, exploitation can be used to gather information enabling further compromise. The issue can be combined with CVE-2026-11424 to reach the cloud-side endpoint. On multi-tenant Altium 365 deployments, the readable configuration could have exposed credentials shared across services. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

CVSS: 8.3

Detail of Vulnerability: CVE Record: CVE-2026-11431

Affected Products

• Product: Altium Enterprise Server 
• Affected version: prior to 8.1.1 
• Mitigated version: 8.1.1 
• Product: Altium 365 
• Affected version: All Altium 365 cloud workspaces (commercial and government cloud) 
• Mitigated version: Remediated at the service level (no customer action required) 

Recommendations

• Update to Altium Enterprise Server 8.1.1 or later. No customer action is required for Altium 365. The issue has been remediated at the service level across all commercial and government cloud regions. 

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 5 June 2026 
• Description: Post new finding

Description

A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation or destination filtering. The response body is then returned to the user.

This allows an authenticated attacker to reach internal services and metadata endpoints that would not otherwise be accessible from the public network, and to retrieve their contents. The impact is information disclosure and internal infrastructure reconnaissance; the request primitive is limited to HTTP GET with no custom headers. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

CVSS: 8.3 

Detail of Vulnerability: CVE Record: CVE-2026-11424

Affected Products

• Product: Altium Enterprise Server 
• Affected version: prior to 8.1.1 
• Mitigated version: 8.1.1 
• Product: Altium 365 
• Affected version: All Altium 365 cloud workspaces (commercial and government cloud) 
• Mitigated version: Remediated at the service level (no customer action required) 

Recommendations

• Update to Altium Enterprise Server 8.1.1 or later. No customer action is required for Altium 365. The issue has been remediated at the service level across all commercial and government cloud regions. 

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 5 June 2026 
• Description: Post new finding

Description

A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames in the MCAD and Simulation file download flows. A regular authenticated user can submit a collaboration message containing a crafted filename, which is later used to construct the download path on the server without validation, allowing arbitrary files to be read from the server filesystem.

Because the readable files include the server's master configuration, which stores credentials for privileged accounts, exploitation can lead to authenticating as a system administrator and gaining full control of the server. Altium 365 cloud deployments are not affected.

CVSS: 9.4 

Detail of Vulnerability: CVE Record: CVE-2026-11423

Affected Products

• Product: Altium Enterprise Server 
• Affected version: prior to 8.1.1 
• Mitigated version: 8.1.1 

Recommendations

• Update to Altium Enterprise Server 8.1.1 or later. 

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 5 June 2026 
• Description: Post new finding

Description

Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. No authentication, session, or credentials are required.

Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, exploitation can be escalated to remote code execution in the context of the service account, and can disclose deployment package contents. Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering.

CVSS: 9.4 

Detail of Vulnerability: CVE Record: CVE-2026-11420

Affected Products

• Product: Altium Enterprise Server 
• Affected version: prior to 8.1.1 
• Mitigated version: 8.1.1 

Recommendations

• Update to Altium Enterprise Server 8.1.1 or later. 

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 5 June 2026 
• Description: Post new finding

Description

A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account.

Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive.

CVSS: 9.4 

Detail of Vulnerability: CVE Record: CVE-2026-11419

Affected Products

• Product: Altium Enterprise Server 
• Affected version: prior to 8.1.1 
• Mitigated version: 8.1.1 

Recommendations

• Update to Altium Enterprise Server 8.1.1 or later. 

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 5 June 2026 
• Description: Post new finding

Description

A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials.

A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.

CVSS: 10.0

Detail of Vulnerability: CVE Record: CVE-2026-11414

Affected Products

• Product: Altium Enterprise Server 
• Affected version: prior to 8.1.1 
• Mitigated version: 8.1.1 

Recommendations

• Update to Altium Enterprise Server 8.1.1 or later. 

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 5 June 2026 
• Description: Post new finding

Description

A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries.

Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.

CVSS: 10.0

Detail of Vulnerability: CVE Record:CVE-2026-9152

Affected Products

• Product: Altium 365  
• Affected version: All Altium 365 cloud workspaces (commercial and government cloud 
• Mitigated version: Remediated at the service level (no customer action required) 

Recommendations

• No customer action is required. Altium remediated this issue at the service level across all Altium 365 commercial and government cloud regions. 

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 20 May 2026 
• Description: Post new finding

Description

A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.

Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.

CVSS: 9.4

Detail of Vulnerability: CVE Record: CVE-2026-9102

Affected Products

• Product: Altium Enterprise Server 
• Affected version: All versions prior to 8.0.4 
• Mitigated version: 8.0.4 

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 20 May 2026 
• Description: Post new finding

Description

A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.

Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.

CVSS: 9.4

Detail of Vulnerability: CVE Record: CVE-2026-9129

Affected Products

• Product: Altium Enterprise Server 
• Affected version: All versions prior to 8.0.4 
• Mitigated version: 8.0.4 

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 20 May 2026 
• Description: Post new finding

Description

A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques.

The injected payload is persisted and executed when other users view the affected profile page. Successful exploitation could allow an attacker to perform actions such as session token theft, phishing attacks, or malicious redirections in the context of the victim’s browser session.

Exploitation requires an authenticated account and user interaction to view the crafted profile but does not require elevated privileges.

CVSS: 7.6

Detail of Vulnerability: CVE Record: CVE-2026-1008

Affected Products

• Product: Altium Live
• Affected version: 1.2.2
• Mitigated version: 1.2.3

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 16 January 2025
• Description: Post new finding

Description

A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post.Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.

CVSS: 9.0

Detail of Vulnerability: CVE Record: CVE-2026-1009

Affected Products

• Product: Altium Live
• Affected version: 1.2.2
• Mitigated version: 1.2.3

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 16 January 2025
• Description: Post new finding

Description

An over-permissive Cross-Origin Resource Sharing (CORS) configuration was identified in the Altium 365 workspace web application. The workspace was configured to allow credentialed cross-origin requests from other Altium-controlled subdomains (for example, forum.live.altium.com) via the Access-Control-Allow-Origin and Access-Control-Allow-Credentials response headers.

As a result, JavaScript executing on those external origins could perform authenticated requests to Altium 365 workspace endpoints in the context of a logged-in user. When chained with vulnerabilities such as stored cross-site scripting (XSS) in those external applications, this misconfiguration could enable unauthorized access to workspace data, execution of administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.

This issue represents a trust boundary failure in the Altium 365 platform, where untrusted or less-trusted applications were permitted to interact with sensitive workspace APIs.

CVSS: 9.0

Detail of Vulnerability: CVE Record: CVE-2026-1181

Affected Products

• Product: Altium 365
• Affected version: All versions prior to the CORS configuration fix
• Mitigated version: Configuration update applied

Recommendations

• No customer action required

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 16 January 2025
• Description: Post new finding

Description

A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.

When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.

CVSS: 8.0

Detail of Vulnerability: CVE Record: CVE-2026-1010

Affected Products

• Product: Altium Enterprise Server
• Affected version: 8.0.1
• Mitigated version: TBD

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 16 January 2025
• Description: Post new finding

Description

A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests.The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim’s browser context.

CVSS: 6.1

Detail of Vulnerability: CVE Record: CVE-2026-1011

Affected Products

• Product: Altium Live
• Affected version: 1.1.1.39
• Mitigated version: 1.1.1.40

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.0
• Date: 16 January 2025
• Description: Post new finding

Description

Altium 24.9.0 does not validate the self signed server certificate, including for cloud connections. This allows for MITM attacks that can steal sensitive data including authentication credentials or design data.

CVSS: 5.3

Detail of Vulnerability: CVE-2025-27377

Affected Products

• Product: Altium Designer, AES
• Affected version: 24.9
• Mitigated version: 25.2

Recommendations

• Update to latest version
   

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.1
• Date: 04 April 2025
• Description: Add acknowledgement

Description

BOM Viewer on AES7.0.3 does not sanitize all fields. Script execution can be achieved by creating a schematic with a javascript payload in the Description field

CVSS: 6.8
Detail of Vulnerability: CVE-2025-27379

Affected Products

• Product: AES
• Affected version: 7.0.3
• Mitigated version: 7.0.6

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.1
• Date: 04 April 2025
• Description: Add acknowledgement

Description

An inactive configuration allows SQL injection to occur by not activating the latest implementation of SQL parsing logic.

CVSS: 8.6
Detail of Vulnerability: CVE-2025-27378

Affected Products

• Product: AES
• Affected version: 7.0.3
• Mitigated version: 7.0.6

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.1
• Date: 04 April 2025
• Description: Add acknowledgement

Description

Stealing Session ID through Project Release.

CVSS: 7.6
Detail of Vulnerability: CVE-2025-27380

Affected Products

• Product: AES
• Affected version: 7.0.3
• Mitigated version: 7.0.6

Recommendations

• Update to latest version

Acknowledgements

Joris Aerts

Revision History

• Revision: 1.1
• Date: 04 April 2025
• Description: Add acknowledgement