Description
Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation, allowing arbitrary files to be written to any location writable by the service account. Because the file write operation completes before authentication is validated, the vulnerability can be exploited without any credentials, session, or prior knowledge of the system.




An unauthenticated network attacker can use this primitive to place executable content in directories where it is later executed by the service, resulting in remote code execution under the Vault Service account. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 (commercial and government cloud) at the service level.
Published: 2026-06-05
Score: 10 Critical
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user‑supplied filename component is used to construct the destination path without validation, creating a path‑traversal flaw (CWE‑22) and also a lack of authentication before file writing (CWE‑306). This allows arbitrary files to be written to any location writable by the Vault Service account. Because the file write completes before authentication is validated, the vulnerability can be exploited without any credentials, session, or prior knowledge of the system, giving an unauthenticated network attacker the ability to place executable content in directories that are later executed by the service, leading to remote code execution under the Vault Service account.

Affected Systems

The vulnerability impacts Altium 365 and Altium Enterprise Server. Altium Enterprise Server is affected by versions prior to 8.1.1, which includes the Vault Service ScriptsController that accepts unvalidated file paths. Altium 365 has a service‑level fix that addresses the same flaw.

Risk and Exploitability

With a CVSS score of 10, the vulnerability is considered critical. The EPSS score is < 1 %, and the vulnerability is not listed in the CISA KEV catalog, indicating low current exploitation likelihood but still high potential impact. Because the file write completes before authentication is validated, the flaw can be abused by an unauthenticated attacker to deploy arbitrary code; the attacker can place executable files in locations that the Vault Service subsequently executes, leading to remote code execution under the Vault Service account.

Generated by OpenCVE AI on June 9, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Altium Enterprise Server to version 8.1.1 or later, which contains the fixed Vault Service ScriptsController component.
  • Ensure the Altium 365 service is updated to the latest patched version that remediates the path‑traversal flaw.
  • Limit upload permissions and restrict the ability to specify filenames in the Vault Service ScriptsController, and monitor upload activity for suspicious file paths.

Generated by OpenCVE AI on June 9, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area. This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level. Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation, allowing arbitrary files to be written to any location writable by the service account. Because the file write operation completes before authentication is validated, the vulnerability can be exploited without any credentials, session, or prior knowledge of the system. An unauthenticated network attacker can use this primitive to place executable content in directories where it is later executed by the service, resulting in remote code execution under the Vault Service account. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 (commercial and government cloud) at the service level.
Title Path Traversal in Altium Git Service Allows Remote Code Execution Path Traversal in Altium Vault ScriptsController Allows Unauthenticated Remote Code Execution
Weaknesses CWE-306
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Altium
Altium altium 365
Altium enterprise Server
Vendors & Products Altium
Altium altium 365
Altium enterprise Server

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area. This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.
Title Path Traversal in Altium Git Service Allows Remote Code Execution
Weaknesses CWE-22
CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Altium Altium 365 Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-06-09T16:06:03.926Z

Reserved: 2026-06-05T20:52:55.972Z

Link: CVE-2026-11429

cve-icon Vulnrichment

Updated: 2026-06-08T13:12:01.221Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T22:16:47.503

Modified: 2026-06-09T17:17:00.867

Link: CVE-2026-11429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T19:30:12Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-306

    Missing Authentication for Critical Function