HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11419Published Modified CNA Altium

CVE-2026-11419: Path Traversal in Altium Enterprise Server Vault UploadController Allows Arbitrary File Write

A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
8.1.1
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController. An authenticated attacker can reach the vulnerable endpoint over the network and supply a crafted absolute path in an image upload request, bypassing the configured storage root and writing arbitrary files to any location on the server filesystem accessible by the service account. Successful exploitation enables remote code execution, service takeover, or denial of service by overwriting application binaries, configuration files, or dropping attacker-controlled content into web-accessible directories. A patched-image rebuild at version 8.1.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11419 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. This matching covers custom-built images derived from Altium Enterprise Server base layers, not only official upstream images.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.4 (Critical, v4.0) and weighting it against each environment's compliance policy to prioritize routing. Triage tickets can be directed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at Altium Enterprise Server version 8.1.1 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Vault Service UploadController endpoint over the network; the vulnerable service is network-exposed by design.

  • AuthenticationRequired

    Any low-privilege authenticated account is sufficient; no administrative or elevated role is needed to reach the upload endpoint.

  • Victim interactionNot required

    No victim interaction is needed; the attacker submits the crafted request directly without requiring another user to take any action.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, specific memory layout, or environmental factors are required to write the attacker-chosen file.

Blast Radius

  • Attacker writes arbitrary files to any filesystem path writable by the service account, including application binary directories and configuration files.
  • Overwriting application binaries or startup scripts escalates the file-write primitive to remote code execution and full service takeover.
  • Dropping attacker-controlled content into web-accessible directories enables serving of malicious payloads to users of the Enterprise Server web interface.
  • Overwriting critical service files or configuration causes the Vault Service to crash or become unavailable, disrupting all connected design workflows.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11419 activates immediately upon CVE ingestion, flagging any image in a customer registry or pipeline that contains an affected Altium Enterprise Server version below 8.1.1. A patched-image rebuild at version 8.1.1 is available as soon as an affected image is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fixed version, runs a regression test, and opens a PR against affected workloads; for critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before patching, the finding is routed to the designated team inbox with full CVSS context. Note that Altium 365 cloud deployments are documented as unaffected; HarborGuard triage will reflect this scope distinction for environments where image metadata identifies a cloud-hosted deployment.

See how HarborGuard automates this

Fix available

8.1.1
Affected packages
  • Altium / Altium Enterprise Server
    < 8.1.1 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References