CVE-2026-9129

Name of the Vulnerable Software and Affected Versions Altium Enterprise Server (affected versions not specified)

Description A path traversal issue exists in the Viewer StorageController due to improper handling of file path route parameters. In on-premise deployments utilizing local filesystem storage, an authenticated user can provide a URL-encoded absolute path in a Viewer storage API request. This action causes the system to discard the configured storage root, enabling the reading of arbitrary files from the server filesystem. This can lead to the disclosure of the server's master configuration, including database credentials, signing key locations, certificate passwords, and OAuth secrets, potentially resulting in a full compromise of the server and its data. Cloud deployments are not affected as they use object storage and do not enable this component.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.