HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11414Published Modified CNA Altium

CVE-2026-11414: Unauthenticated File Exfiltration in Altium Enterprise Server Vault Service via Hard-coded Cryptographic Key and Path Traversal

A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials. A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.

Metrics

CVSS v4.0
10.0
Severity
CRITICAL
Fixed in
8.1.1
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated file exfiltration vulnerability affects Altium Enterprise Server's Vault service, combining a hard-coded cryptographic key with a path traversal flaw in the file download endpoint. The vulnerability is reachable over the network with no authentication required, as confirmed by the CVSS 4.0 vector (AV:N, PR:N, UI:N). A remote attacker can forge valid download signatures to retrieve arbitrary files from the server filesystem, including sensitive configuration and key material, leading to full server compromise. A patched-image rebuild at version 8.1.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11414 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image running an affected version of Altium Enterprise Server (below 8.1.1) is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 4.0 rating of 10.0 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team or inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at Altium Enterprise Server 8.1.1 becomes available in HarborGuard once the upstream fix is confirmed, giving customers a ready drop-in replacement for affected images. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, execute a regression test run, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Vault service endpoint over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No credentials, session token, or account of any privilege level are required to exploit this vulnerability.

  • Victim interactionNot required

    The attack is fully server-side; no user action or social engineering is needed to trigger the vulnerability.

  • Attack complexityDetail

    The exploit is reliable and condition-free; the hard-coded key is identical across all installations, so forging a valid signature requires no race condition or environmental tuning.

Blast Radius

  • Reads arbitrary files from the server filesystem by escaping the configured Vault storage root via path traversal, including private keys, configuration files, and stored credentials.
  • Retrieves all design files and intellectual property stored in the Vault, which can be bulk-downloaded when chained with CVE-2026-9152 for content enumeration.
  • Obtains server key material and configuration secrets that enable follow-on attacks leading to full server compromise.
  • Causes high-integrity and high-availability impact at both the system and downstream scope levels, meaning an attacker can tamper with or destroy stored data and disrupt service operation.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image running Altium Enterprise Server below 8.1.1, including internally built images that bundle the Vault service. Given the Critical (CVSS 4.0: 10.0) rating, this CVE is prioritized at the top of HarborGuard's triage queue, and per-org compliance policy weighting can escalate it immediately to the responsible team. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at version 8.1.1, run a regression test suite against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Until a rebuild is deployed, compensating controls worth evaluating include restricting network access to the Vault service endpoint via Kubernetes NetworkPolicy or equivalent egress and ingress filtering rules, placing the Vault service behind an authenticating reverse proxy, and auditing filesystem permissions on the storage root to limit traversal impact. Note that Altium 365 cloud deployments are documented as unaffected; teams should confirm their deployment model before prioritizing remediation effort.

See how HarborGuard automates this

Fix available

8.1.1
Affected packages
  • Altium / Altium Enterprise Server
    < 8.1.1 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References