CVE-2026-11431: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Altium Altium Enterprise Server
CVE-2026-11431 is a path traversal vulnerability in the Projects Service download endpoint of Altium Enterprise Server and Altium 365. An authenticated user can bypass path validation to read arbitrary files or directories from the server filesystem, including sensitive service configuration and credential files. This exposure can facilitate further compromise. The vulnerability can be combined with CVE-2026-11424 to access cloud-side endpoints. Altium Enterprise Server version 8. 1. 1 includes a fix, and Altium 365 has been remediated at the service level.
AI Analysis
Technical Summary
This vulnerability involves improper limitation of a pathname to a restricted directory (CWE-22) in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. Authenticated users can supply crafted path parameters to bypass validation and read arbitrary files or directories from the server filesystem. The readable files include sensitive service configuration and credential material, which could be leveraged for further attacks. The issue is remediated in Altium Enterprise Server version 8.1.1 and has been fixed at the service level in Altium 365. The vulnerability has a CVSS 4.0 score of 8.3, indicating high severity.
Potential Impact
Exploitation allows authenticated users to read arbitrary files on the server, including sensitive configuration and credential files. This can lead to information disclosure that enables further compromise of the affected systems. On multi-tenant Altium 365 deployments, exposed credentials could affect multiple services. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in Altium Enterprise Server version 8.1.1. Altium 365 has been remediated at the service level by the vendor. Users should upgrade to the fixed version or rely on the vendor's cloud service remediation. Patch status is confirmed by the vendor advisory.
CVE-2026-11431: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Altium Altium Enterprise Server
Description
CVE-2026-11431 is a path traversal vulnerability in the Projects Service download endpoint of Altium Enterprise Server and Altium 365. An authenticated user can bypass path validation to read arbitrary files or directories from the server filesystem, including sensitive service configuration and credential files. This exposure can facilitate further compromise. The vulnerability can be combined with CVE-2026-11424 to access cloud-side endpoints. Altium Enterprise Server version 8. 1. 1 includes a fix, and Altium 365 has been remediated at the service level.
CVSS v4.0
Score 8.3high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper limitation of a pathname to a restricted directory (CWE-22) in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. Authenticated users can supply crafted path parameters to bypass validation and read arbitrary files or directories from the server filesystem. The readable files include sensitive service configuration and credential material, which could be leveraged for further attacks. The issue is remediated in Altium Enterprise Server version 8.1.1 and has been fixed at the service level in Altium 365. The vulnerability has a CVSS 4.0 score of 8.3, indicating high severity.
Potential Impact
Exploitation allows authenticated users to read arbitrary files on the server, including sensitive configuration and credential files. This can lead to information disclosure that enables further compromise of the affected systems. On multi-tenant Altium 365 deployments, exposed credentials could affect multiple services. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in Altium Enterprise Server version 8.1.1. Altium 365 has been remediated at the service level by the vendor. Users should upgrade to the fixed version or rely on the vendor's cloud service remediation. Patch status is confirmed by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Altium
- Date Reserved
- 2026-06-05T21:03:16.924Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2340b3e29bf47b50c78623
Added to database: 6/5/2026, 9:33:39 PM
Last enriched: 6/5/2026, 9:48:25 PM
Last updated: 6/5/2026, 10:39:17 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.