Description
A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem.




Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.
Published: 2026-05-20
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw exists in the Altium Enterprise Server ComparisonService because the Gerber file upload APIs do not sanitize the filename supplied in the multipart Content‑Disposition header. An attacker who is a regular authenticated workspace user can supply a crafted filename that ascends directories and writes an arbitrary file to any location on the server filesystem. When the file is written under a web‑accessible directory, the flaw can be escalated to remote code execution in the context of the service account. Additionally, the attacker can overwrite application binaries or critical configuration files, resulting in service takeover or denial of service. The vulnerability is classified under CWE‑22 and CWE‑434 and is assigned a CVSS score of 9.4.

Affected Systems

All deployments of Altium Enterprise Server, as the advisory does not list specific affected versions. The flaw resides in the ComparisonService component of the server.

Risk and Exploitability

The high CVSS score reflects severe confidentiality, integrity, and availability impact. EPSS is not available, so the precise exploitation likelihood cannot be quantified, but the lack of input validation makes successful attacks straightforward for any authenticated user. Chosen attack path is through normal user workflow: uploading a Gerber file with a malicious filename. No CISA KEV listing suggests that broader exploitation has not yet been reported, but the capability remains present.

Generated by OpenCVE AI on May 20, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Altium patch or upgrade to a version where the ComparisonService properly sanitizes filenames.
  • If a patch is not yet released, restrict write permissions on the upload directory, disable the Gerber upload API for anonymous or low‑privilege users, and enforce validation that rejects filenames containing directory traversal sequences such as ".." or forward slashes.
  • Deploy a web application firewall rule or equivalent detection that blocks multipart headers with disallowed filename patterns, and monitor server logs for unexpected file write attempts to detect activity early.

Generated by OpenCVE AI on May 20, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem. Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service.
Title Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write
Weaknesses CWE-22
CWE-434
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-05-20T19:30:23.892Z

Reserved: 2026-05-20T16:06:24.984Z

Link: CVE-2026-9102

cve-icon Vulnrichment

Updated: 2026-05-20T19:29:45.536Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:41.513

Modified: 2026-05-20T20:16:41.513

Link: CVE-2026-9102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:45:03Z

Weaknesses