CVE-2026-14439: Path Traversal in Altium Git Service Allows Remote Code Execution
A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area. This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1. The issue has been remediated across Altium 365 shared multi-tenant deployments at the service level; remediation is in progress on remaining Altium 365 deployments.
Metrics
- CVSS v4.0
- 9.4
- Severity
- CRITICAL
- Fixed in
- 8.1.1
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A path traversal vulnerability in the Git Service component of Altium Enterprise Server and Altium 365 allows an authenticated user with basic git access to move arbitrary files outside the intended repository boundary. The service is reachable over the network and requires no elevated privileges, only a low-privilege git account. Successful exploitation lets an attacker place attacker-controlled script content into executable directories, resulting in remote code execution under the Git Service account; on multi-tenant Altium 365 deployments, this also exposes data belonging to other tenants on the same infrastructure node. A patched-image rebuild at version 8.1.1 is available on HarborGuard for environments running Altium Enterprise Server at an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the Altium Git Service component. Any image found running an affected version of Altium Enterprise Server is flagged immediately.
AvailableHarborGuard surfaces this finding with its CVSS v4.0 score of 9.4 (Critical) and applies per-environment compliance policy weighting to prioritize routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on ownership and policy configuration.
AvailableFor environments running an affected version of Altium Enterprise Server, a patched-image rebuild at version 8.1.1 becomes available through HarborGuard once the fix version is confirmed against the image manifest. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Note that Altium 365 is a hosted service and its remediation status depends on Altium's own deployment rollout rather than image rebuilds.
AvailableExploit Conditions
- Network reachabilityRequired
The Git Service is exposed over the network, so an attacker must be able to reach it via HTTP or HTTPS from a remote host.
- AuthenticationRequired
Any low-privilege git account is sufficient; no administrative or elevated credentials are needed to trigger the path traversal.
- Victim interactionNot required
No user interaction is required; the attacker sends crafted post-clone file-manipulation operations directly to the service.
- Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory layout requirements, or environmental dependencies are involved.
Blast Radius
- Attacker writes arbitrary script content into server-side executable directories and achieves remote code execution running as the Git Service account.
- On multi-tenant Altium 365 nodes, the Git Service account context gives access to repository data and stored credentials belonging to other tenants sharing the same infrastructure node.
- An attacker with code execution under the service account can read, modify, or delete persisted repository contents across all projects hosted by that service instance.
- Full compromise of the Git Service process integrity allows the attacker to tamper with source files, inject backdoors into design artifacts, or disrupt repository availability entirely.
How HarborGuard Handles This
Available on HarborGuard: for Altium Enterprise Server images at versions below 8.1.1, a patched-image rebuild is available at the fixed version. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically, with a median time to merged patch PR of around 90 minutes for critical-severity findings. For Altium 365, remediation is upstream-controlled at the service level; HarborGuard re-checks the advisory each ingest cycle and will reflect any updated fix version as soon as Altium publishes one. In the interim, customers running self-hosted deployments or internal forks of the Git Service component should consider network-policy controls that restrict which internal hosts can reach the Git Service port, limit git account provisioning to only verified users, and review egress filtering to constrain what the service account can reach externally.
Fix available
- Altium / Altium Enterprise Server< 8.1.1 (from 0)
- Altium / Altium 365unspecified
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H