CVE-2026-11429

CRITICAL

Path Traversal in Altium Git Service Allows Remote Code Execution

Title source: cna

Description

Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation, allowing arbitrary files to be written to any location writable by the service account. Because the file write operation completes before authentication is validated, the vulnerability can be exploited without any credentials, session, or prior knowledge of the system. An unauthenticated network attacker can use this primitive to place executable content in directories where it is later executed by the service, resulting in remote code execution under the Vault Service account. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 (commercial and government cloud) at the service level.

References (1)

Core 1

Core References

https://www.altium.com/platform/security-compliance/security-advisories

Scores

CVSS v4 10.0

EPSS 0.0115

EPSS Percentile 62.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-22 CWE-306

Status published

Products (2)

Altium/Altium 365 unspecified

Altium/Altium Enterprise Server < 8.1.1

Published Jun 05, 2026

Tracked Since Jun 06, 2026