Altium Enterprise Server: Seven Critical Path Traversal and SSRF Flaws Disclosed
Seven vulnerabilities, including critical path traversal and SSRF flaws, were disclosed for Altium Enterprise Server and Altium 365 on June 5, 2026.
Key findings
- Seven vulnerabilities disclosed together for Altium Enterprise Server and Altium 365 on June 5, 2026.
- Critical path traversal flaws allow arbitrary file read/write for authenticated and unauthenticated users.
- CVE-2026-11424: Critical SSRF vulnerability in GraphQL service allows unauthorized outbound requests.
- CVE-2026-11420: Unauthenticated path traversal in NIS allows arbitrary file write/read.
- CVE-2026-11414: Hard-coded key allows forging download signatures for Vault files.
- The batch includes five Critical and two High severity vulnerabilities.
On June 5, 2026, a cluster of seven security vulnerabilities affecting Altium Enterprise Server and Altium 365 was disclosed, with all advisories published within a two-hour window. The batch includes critical and high-severity flaws, predominantly path traversal and server-side request forgery (SSRF) issues, impacting various services within the platform. These vulnerabilities could allow authenticated or even unauthenticated attackers to read or write arbitrary files on the server, or to perform unauthorized requests.
The majority of the disclosed vulnerabilities are path traversal flaws, which permit attackers to access files and directories outside of their intended scope. CVE-2026-11431, rated High, affects the Projects Service download endpoint, enabling an authenticated user to read arbitrary files by supplying a crafted path parameter. Similarly, CVE-2026-11429, a Critical vulnerability in the Git Service, allows authenticated users to move arbitrary files using post-clone operations without proper validation. The Collaboration Service is also impacted by path traversal in CVE-2026-11423 (Critical), where crafted filenames in collaboration messages can lead to unintended file access. Another Critical path traversal vulnerability, CVE-2026-11419, exists in the Vault Service's UploadController, allowing authenticated users to bypass storage root restrictions and write arbitrary files.
Further exacerbating the risk, CVE-2026-11420, a Critical vulnerability in the Network Installation Service (NIS), allows unauthenticated network attackers to write arbitrary files to any writable location and read package archive files from the server. This particular vulnerability bypasses authentication, session, and credential requirements, posing a significant threat to exposed instances.
Beyond path traversal, a critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-11424, exists within a GraphQL service component. This flaw allows an authenticated user to trick the server into issuing outbound HTTP GET requests to arbitrary destinations without proper validation or filtering, potentially leading to internal network reconnaissance or interaction with other internal services.
Adding to the severity, CVE-2026-11414, a Critical vulnerability, involves a hard-coded cryptographic key used by the Vault service to sign file download URLs. Because this key is uniform across all installations, an unauthenticated attacker who can reach the server can forge valid download signatures, granting them unauthorized access to files stored within the Vault. This bypasses the intended security mechanisms for file retrieval.
All seven vulnerabilities were disclosed on June 5, 2026, indicating a coordinated disclosure event. While the specific patch versions are not detailed in the initial advisories, users of Altium Enterprise Server and Altium 365 are strongly advised to consult Altium's official security advisories for the latest information on affected versions and available patches. The concentration of critical path traversal and SSRF vulnerabilities within a single disclosure event highlights the importance of timely patching and security vigilance for users of Altium's products.