PatchSiren cyber security CVE debrief

CVE-2026-11431 Altium CVE debrief

A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypasses validation, allowing arbitrary files (including entire directories returned as archives) to be read from the server filesystem. Because the readable files include service configuration and credential material, exploitation can be used to gather information enabling further compromise. The issue can be combined with CVE-2026-11424 to reach the cloud-side endpoint. On multi-tenant Altium 365 deployments, the readable configuration could have exposed credentials shared across services. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

Vendor: Altium
Product: Altium Enterprise Server
CVSS: HIGH 8.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-05
Original CVE updated: 2026-06-08
Advisory published: 2026-06-05
Advisory updated: 2026-06-08

Who should care

Users of Altium Enterprise Server and Altium 365 should apply the provided patches to prevent exploitation of this vulnerability.

Technical summary

The vulnerability has a CVSS score of 8.3 and is classified as HIGH severity. It can be exploited by an authenticated user with a crafted path parameter, allowing access to sensitive files and configuration data.

Defensive priority

High

Recommended defensive actions

Apply the patch for Altium Enterprise Server version 8.1.1
Ensure that Altium 365 has been updated to the latest service level

Evidence notes

Vendor: Altium; Product: Altium Enterprise Server and Altium 365

Official resources

CVE-2026-11431 CVE record
CVE.org
CVE-2026-11431 NVD detail
NVD
Source item URL
nvd_modified
Source reference
4760f414-e1ae-4ff1-bdad-c7a9c3538b79

CVE-2026-11431 was published on 2026-06-05T22:16:47.650Z and modified on 2026-06-08T15:00:38.710Z.