CVE-2026-11431

216.73.217.22

· Published 05/06/2026 22:16 · Modified 05/06/2026 22:16

Labels: CVE-2026-11431 2026-06-05 4760f414-e1ae-4ff1-bdad-c7a9c3538b79 CVE-2026-11431 CWE-22

Essential information

Published: 05/06/2026 22:16
Modified: 05/06/2026 22:16
Author: —
Creator: —
CVSS: 8.3 HIGH (v3) 8.3 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypasses validation, allowing arbitrary files (including entire directories returned as archives) to be read from the server filesystem. Because the readable files include service configuration and credential material, exploitation can be used to gather information enabling further compromise. The issue can be combined with CVE-2026-11424 to reach the cloud-side endpoint. On multi-tenant Altium 365 deployments, the readable configuration could have exposed credentials shared across services. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
NVD: View on NVD

Affected products (CPE)

Product	CPE
altium / altium enterprise server	`cpe:2.3:a:altium:altium_enterprise_server:8.1.1:::::::*`
altium / altium 365	`cpe:2.3:a:altium:altium_365::::::::`