Description
A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.








Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.
Published: 2026-05-20
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in the Altium Enterprise Server Viewer StorageController allows a regular authenticated user to specify a URL‑encoded absolute file path during a Viewer storage API request. The server discards the configured storage root and reads the requested file, exposing sensitive data such as database credentials, signing keys, certificate passwords, and OAuth secrets. This misuse of input handling corresponds to the CWE‑200 (Information Exposure) and CWE‑22 (Path Traversal) weaknesses, directly leading to disclosure of all server secrets and potential full compromise of the server and its data.

Affected Systems

On‑premise installations of Altium Enterprise Server that configure local filesystem storage are affected. Cloud deployments, which employ object storage and do not activate the StorageController component, are not impacted.

Risk and Exploitability

The vulnerability scores a CVSS of 9.4, indicating critical severity. No EPSS score is available, and it is not listed in CISA KEV; nevertheless the flaw permits a well‑qualified authenticated user to read arbitrary files from the server filesystem once the API call is made. The attack surface is limited to users with legitimate access to the Viewer API, but the consequence—full disclosure of secrets—renders this an extremely high‑risk vulnerability.

Generated by OpenCVE AI on May 20, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Altium Enterprise Server update that addresses the path traversal flaw.
  • For deployments that cannot be patched immediately, restrict the Viewer StorageController API to trusted internal applications only and disable the ability to specify absolute paths in storage requests.
  • Enforce strict validation of file path parameters in the StorageController to reject absolute or URL‑encoded paths that reference directories outside the configured storage root.

Generated by OpenCVE AI on May 20, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem. Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.
Title Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read
Weaknesses CWE-200
CWE-22
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-05-20T19:28:30.057Z

Reserved: 2026-05-20T17:52:55.487Z

Link: CVE-2026-9129

cve-icon Vulnrichment

Updated: 2026-05-20T19:28:26.558Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:45.717

Modified: 2026-05-20T20:16:45.717

Link: CVE-2026-9129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:45:03Z

Weaknesses