CVE-2026-11420
Description
Altium Enterprise Server NIS has two path traversal flaws enabling unauthenticated file writes and reads, potentially leading to RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Altium Enterprise Server NIS has two path traversal flaws enabling unauthenticated file writes and reads, potentially leading to RCE.
Vulnerability
Two path traversal vulnerabilities exist in the Network Installation Service (NIS) of Altium Enterprise Server. These flaws allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. Altium 365 cloud deployments are not affected as NIS is not part of the cloud offering.
Exploitation
An unauthenticated network attacker can exploit these vulnerabilities without requiring any authentication, session, or credentials. The attacker can write arbitrary files to any writable location on the server filesystem and read package archive files from the server.
Impact
Exploitation can lead to remote code execution in the context of the service account if content-controlled files are written to web-accessible directories or used to overwrite application binaries or configuration files. Additionally, an attacker can disclose the contents of deployment packages.
Mitigation
Not yet disclosed in the available references.
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.