CVE-2026-11429

Vulnerability

Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation. This allows arbitrary files to be written to any location writable by the service account. The affected versions are Altium Enterprise Server prior to 8.1.1 and all Altium 365 cloud deployments (commercial and government cloud) [1].

Exploitation

An unauthenticated network attacker can exploit this vulnerability without any credentials, session, or prior knowledge of the system. The file write operation completes before authentication is validated, allowing the attacker to place executable content in directories that are later executed by the service [1].

Impact

Successful exploitation allows an unauthenticated network attacker to achieve remote code execution under the Vault Service account. This compromises the confidentiality, integrity, and availability of the affected systems [1].

Mitigation

Altium Enterprise Server is fixed in version 8.1.1. The issue has been remediated in Altium 365 (commercial and government cloud) at the service level, with no customer action required [1].