CVE-2026-11429: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Altium Altium Enterprise Server
CVE-2026-11429 is a critical path traversal vulnerability in the Git Service component shared by Altium Enterprise Server and Altium 365. It allows an authenticated user with basic git access to move arbitrary files outside the intended repository by exploiting insufficient path validation. This can lead to placing attacker-controlled scripts in locations where they are executed by the service, resulting in remote code execution under the Git Service account. The vulnerability also posed a risk of cross-tenant data access in multi-tenant Altium 365 deployments. Altium Enterprise Server version 8. 1. 1 includes a fix, and Altium 365 has been remediated at the service level.
AI Analysis
Technical Summary
The vulnerability arises from improper limitation of pathname (CWE-22) in the Git Service component of Altium Enterprise Server and Altium 365. The service processes post-clone file-manipulation operations using user-supplied paths without adequate validation, enabling authenticated users with minimal git privileges to move files outside the repository boundary. This file-move capability can be abused to deploy malicious scripts that the service later executes, leading to remote code execution (CWE-94). In multi-tenant Altium 365 environments, this could have allowed unauthorized access to other tenants' data. The issue is fixed in Altium Enterprise Server 8.1.1 and mitigated in Altium 365 at the service level.
Potential Impact
Successful exploitation allows remote code execution with the privileges of the Git Service account. This can lead to full compromise of the affected server and unauthorized access to data across tenants in multi-tenant deployments. The CVSS 4.0 score is 9.4 (critical), reflecting network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, availability, and security requirements.
Mitigation Recommendations
A fix is available in Altium Enterprise Server version 8.1.1. For Altium 365, the vendor has applied remediation at the service level. Users should upgrade to the fixed version or verify that their Altium 365 service is updated per vendor guidance. Patch status is confirmed by the vendor advisory embedded in the description.
CVE-2026-11429: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Altium Altium Enterprise Server
Description
CVE-2026-11429 is a critical path traversal vulnerability in the Git Service component shared by Altium Enterprise Server and Altium 365. It allows an authenticated user with basic git access to move arbitrary files outside the intended repository by exploiting insufficient path validation. This can lead to placing attacker-controlled scripts in locations where they are executed by the service, resulting in remote code execution under the Git Service account. The vulnerability also posed a risk of cross-tenant data access in multi-tenant Altium 365 deployments. Altium Enterprise Server version 8. 1. 1 includes a fix, and Altium 365 has been remediated at the service level.
CVSS v4.0
Score 9.4critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from improper limitation of pathname (CWE-22) in the Git Service component of Altium Enterprise Server and Altium 365. The service processes post-clone file-manipulation operations using user-supplied paths without adequate validation, enabling authenticated users with minimal git privileges to move files outside the repository boundary. This file-move capability can be abused to deploy malicious scripts that the service later executes, leading to remote code execution (CWE-94). In multi-tenant Altium 365 environments, this could have allowed unauthorized access to other tenants' data. The issue is fixed in Altium Enterprise Server 8.1.1 and mitigated in Altium 365 at the service level.
Potential Impact
Successful exploitation allows remote code execution with the privileges of the Git Service account. This can lead to full compromise of the affected server and unauthorized access to data across tenants in multi-tenant deployments. The CVSS 4.0 score is 9.4 (critical), reflecting network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, availability, and security requirements.
Mitigation Recommendations
A fix is available in Altium Enterprise Server version 8.1.1. For Altium 365, the vendor has applied remediation at the service level. Users should upgrade to the fixed version or verify that their Altium 365 service is updated per vendor guidance. Patch status is confirmed by the vendor advisory embedded in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Altium
- Date Reserved
- 2026-06-05T20:52:55.972Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2340b3e29bf47b50c78620
Added to database: 6/5/2026, 9:33:39 PM
Last enriched: 6/5/2026, 9:48:29 PM
Last updated: 6/5/2026, 10:35:21 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.