PatchSiren cyber security CVE debrief

CVE-2026-11424 Altium CVE debrief

A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation or destination filtering. The response body is then returned to the user.

Vendor: Altium
Product: Altium Enterprise Server
CVSS: HIGH 8.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-05
Original CVE updated: 2026-06-08
Advisory published: 2026-06-05
Advisory updated: 2026-06-08

Who should care

Users of Altium Enterprise Server and Altium 365 should be aware of this vulnerability, as it allows an authenticated attacker to reach internal services and metadata endpoints that would not otherwise be accessible from the public network, and to retrieve their contents.

Technical summary

The vulnerability has a CVSS score of 8.3 and is classified as HIGH severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

HIGH

Recommended defensive actions

Apply the patches for Altium Enterprise Server 8.1.1 and Altium 365 at the service level.
Restrict access to the GraphQL service component to only trusted users and networks.
Implement URL validation and destination filtering for outbound HTTP GET requests.

Evidence notes

The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4].

Official resources

CVE-2026-11424 CVE record
CVE.org
CVE-2026-11424 NVD detail
NVD
Source item URL
nvd_modified
Source reference
4760f414-e1ae-4ff1-bdad-c7a9c3538b79

CVE-2026-11424 was published on [cvePublishedAt] and modified on [cveModifiedAt].