Description
A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials.


A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.
Published: 2026-06-05
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Altium Enterprise Server uses a hard‑coded cryptographic key to sign file download URLs for its Vault service, a key that is identical across all installations. This allows an unauthenticated network attacker with reach to the server to forge valid download signatures and retrieve files from the Vault storage without authentication, session, or credential requirements. A separate path‑traversal flaw in the same endpoint permits the configured storage root to be escaped, enabling reads of arbitrary files on the server file system. The combination of these flaws allows the attacker to obtain sensitive configuration data, key material, and additional files, potentially leading to a full compromise of the affected server. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk‑download all stored content.

Affected Systems

Altium Enterprise Server is affected. The flaw exists in all installations regardless of version, as the cryptographic key is hard‑coded and the path‑traversal logic is unchanged. Altium 365 cloud deployments are not impacted because they use object storage rather than the local file system.

Risk and Exploitability

The CVSS score of 10 indicates maximum severity. EPSS data is not available, but the vulnerability can be exploited by any unauthenticated network attacker who can reach the Vault service. The flaw is not listed in the CISA KEV catalog. The likely attack vector is via unauthenticated HTTP requests to the Vault download endpoint, where an attacker forges a signature and optionally includes a traversal path to read arbitrary files. The danger is amplified by the ability to combine the flaw with CVE-2026-9152 for broader data exfiltration.

Generated by OpenCVE AI on June 5, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch or upgrade Altium Enterprise Server to the latest version that removes the hard‑coded key and fixes the path‑traversal flaw.
  • If a patch is not available, restrict network access to the Vault download endpoint so that only trusted hosts can reach it, or disable the endpoint entirely until a fix is applied.
  • Configure additional controls such as a firewall rule or reverse‑proxy restriction to block unauthenticated HTTP requests to the Vault service and monitor logs for anomalous activity, ensuring any attempted forgeries or traversal attempts are detected promptly.

Generated by OpenCVE AI on June 5, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials. A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.
Title Unauthenticated File Exfiltration in Altium Enterprise Server Vault Service via Hard-coded Cryptographic Key and Path Traversal
Weaknesses CWE-22
CWE-798
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-06-05T19:01:12.061Z

Reserved: 2026-06-05T18:44:36.347Z

Link: CVE-2026-11414

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T20:17:29.033

Modified: 2026-06-05T20:49:52.790

Link: CVE-2026-11414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T21:15:05Z

Weaknesses