PT-2026-47054 · Altium · Altium Enterprise Server Collaboration Service
Published
2026-06-05
·
Updated
2026-06-05
·
CVE-2026-11423
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Altium Enterprise Server Collaboration Service (affected versions not specified)
Description
A path traversal issue exists due to improper handling of user-supplied filenames within the MCAD and Simulation file download flows. An authenticated user can send a collaboration message with a crafted filename that the server uses to construct a download path without validation, enabling the reading of arbitrary files from the filesystem. Since the server's master configuration containing privileged account credentials can be accessed, this may allow an attacker to authenticate as a system administrator and gain full control of the server. Altium 365 cloud deployments are not affected.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Improper Privilege Management
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Altium Enterprise Server Collaboration Service