CVE-2026-9129

Vulnerability

A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. In on-premise deployments using local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded [1]. No specific version range is mentioned in the available references, so affected versions are those prior to the fix.

Exploitation

An attacker must have a regular authenticated user account on an on-premise Altium Enterprise Server deployment that uses local filesystem storage. The attacker sends a specially crafted API request containing a URL-encoded absolute path to the Viewer storage endpoint, bypassing the intended storage root restriction [1]. Cloud deployments using object storage are not affected [1].

Impact

Successful exploitation allows arbitrary files to be read from the server filesystem. The readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets [1]. This can lead to disclosure of all server secrets and full compromise of the server and its data.

Mitigation

No specific fixed version or release date is mentioned in the available references [1]. Cloud deployments are not affected and do not require mitigation. On-premise administrators should monitor the Altium security advisory page [1] for a patch. If no fix is available, consider restricting access to the Viewer storage API or migrating to object storage if possible.