216.73.217.22

CVE-2026-11424

· Published 05/06/2026 22:16 · Modified 05/06/2026 22:16

Labels: CVE-2026-11424 2026-06-054760f414-e1ae-4ff1-bdad-c7a9c3538b79CVE-2026-11424CWE-200

Essential information

Published
05/06/2026 22:16
Modified
05/06/2026 22:16
Author
Creator
CVSS
8.3 HIGH (v3) 8.3 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation or destination filtering. The response body is then returned to the user. This allows an authenticated attacker to reach internal services and metadata endpoints that would not otherwise be accessible from the public network, and to retrieve their contents. The impact is information disclosure and internal infrastructure reconnaissance; the request primitive is limited to HTTP GET with no custom headers. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
4760f414-e1ae-4ff1-bdad-c7a9c3538b79
NVD
View on NVD

Affected products (CPE)

ProductCPE
altium / altium enterprise server cpe:2.3:a:altium:altium_enterprise_server:8.1.1:*:*:*:*:*:*:*
altium / altium 365 cpe:2.3:a:altium:altium_365:*:*:*:*:*:*:*:*

References