HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11420Published Modified CNA Altium

CVE-2026-11420: Path Traversal in Altium Enterprise Server NIS Allows Unauthenticated Arbitrary File Write and File Read

Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. No authentication, session, or credentials are required. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, exploitation can be escalated to remote code execution in the context of the service account, and can disclose deployment package contents. Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering.

Metrics

CVSS v4.0
10.0
Severity
CRITICAL
Fixed in
8.1.1
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Two path traversal vulnerabilities in the Network Installation Service (NIS) component of Altium Enterprise Server allow an unauthenticated attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files without any credentials. The service is reachable over the network and requires no authentication, session token, or prior access. Successful exploitation enables remote code execution in the context of the service account, as well as disclosure of deployment package contents. A patched-image rebuild at version 8.1.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-11420 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Altium Enterprise Server.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 10.0 Critical and applying per-environment compliance policy weighting to prioritize routing; findings are surfaced to the appropriate team inbox within each customer org based on image ownership and policy rules.

Available
Patch

A patched-image rebuild at Altium Enterprise Server 8.1.1 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the NIS service over the network; no local access or special network position is required.

  • AuthenticationNot required

    No credentials, session token, or account of any privilege level are required to exploit either path traversal vulnerability.

  • Victim interactionNot required

    The attacker sends crafted requests directly to the service; no user action or social engineering is needed.

  • Attack complexityDetail

    The exploit is reliable and condition-free: no race conditions, specific memory layout, or environmental dependencies are needed (AC:L, AT:N).

Blast Radius

  • Reads package archive files stored on the server, disclosing deployment package contents and any credentials or configuration embedded in them.
  • Writes arbitrary files to any writable path on the server filesystem, enabling overwrite of application binaries, configuration files, or web-accessible resources.
  • Escalates to remote code execution in the context of the NIS service account by dropping attacker-controlled content to a web-accessible directory or replacing a loaded binary.
  • Compromises systems and data reachable from the server through the service account's privileges, given the high Subsequent System confidentiality, integrity, and availability impact scores.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11420 is active across all connected registries and pipelines the moment the CVE is ingested, covering any image that bundles Altium Enterprise Server below version 8.1.1. A patched-image rebuild at 8.1.1 is available for affected images. For customers who opt into auto-remediation, HarborGuard performs a full rebuild at the fix version, runs a regression test pass, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review before merge, the rebuilt image and test results are staged and waiting for approver action. Note that Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering; scanning and triage of on-premises Enterprise Server images is where this CVE applies.

See how HarborGuard automates this

Fix available

8.1.1
Affected packages
  • Altium / Altium Enterprise Server
    < 8.1.1 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References