HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11424Published Modified CNA Altium

CVE-2026-11424: Server-Side Request Forgery in Altium Platform Design GraphQL Service Allows Information Disclosure

A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation or destination filtering. The response body is then returned to the user. This allows an authenticated attacker to reach internal services and metadata endpoints that would not otherwise be accessible from the public network, and to retrieve their contents. The impact is information disclosure and internal infrastructure reconnaissance; the request primitive is limited to HTTP GET with no custom headers. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

Metrics

CVSS v4.0
8.3
Severity
HIGH
Fixed in
8.1.1
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated attacker can submit a crafted GraphQL request that causes the server to issue an outbound HTTP GET to an attacker-controlled URL, with the response body returned directly to the attacker. This enables access to internal services and cloud metadata endpoints (such as AWS IMDSv1 or similar) that are not reachable from the public internet, resulting in information disclosure and internal infrastructure reconnaissance. A patched-image rebuild at version 8.1.1 is available on HarborGuard for environments running an affected version of Altium Enterprise Server.

HarborGuard Coverage

Detection

Detection for CVE-2026-11424 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that embed the affected Altium Enterprise Server component. Coverage applies to both tagged release images and intermediate build layers.

Available
Triage

HarborGuard scores this CVE at 8.3 HIGH using the CVSS v4.0 vector and weights it against each environment's active compliance policy to determine breach thresholds and escalation priority. Findings are routed to the team inbox or ticketing integration configured for the affected workload within each customer organization.

Available
Patch

A patched-image rebuild pinned to Altium Enterprise Server 8.1.1 becomes available in HarborGuard once the fix version is confirmed against the affected image layers. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs the configured regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable GraphQL endpoint must be reachable over the network; an attacker sends the crafted request directly to the exposed service.

  • AuthenticationRequired

    Any low-privilege authenticated account is sufficient; no elevated or administrative role is needed to submit the malicious GraphQL request.

  • Victim interactionNot required

    No victim interaction is needed; the attacker submits the request directly to the server without involving another user.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required.

Blast Radius

  • Reads the response body of internal HTTP services not exposed to the public network, including service discovery endpoints and internal APIs.
  • Retrieves cloud instance metadata (for example, temporary IAM credentials from a cloud provider metadata service) if the host runs in a cloud environment without metadata endpoint protection.
  • Enables mapping of internal network topology and service ports by probing internal address ranges through the server's HTTP GET primitive.
  • No write or availability impact is possible through this vulnerability; the attack primitive is limited to read-only HTTP GET requests with no custom header injection.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11424 is matched against customer images within minutes of advisory ingestion. For Altium Enterprise Server images on versions below 8.1.1, a rebuilt image at the fixed version is available. For customers who opt into auto-remediation, HarborGuard performs the image rebuild, executes the configured regression test suite, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Note that Altium 365 is a hosted service remediated at the service level by Altium, so no image rebuild action applies to that variant. Where compliance policy does not permit auto-remediation, customers can use HarborGuard network-policy controls to isolate the affected service from internal metadata endpoints and non-essential internal address ranges as a compensating control until the image is updated.

See how HarborGuard automates this

Fix available

8.1.1
Affected packages
  • Altium / Altium Enterprise Server
    < 8.1.1 (from 0)
  • Altium / Altium 365
    unspecified
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
References