PatchSiren cyber security CVE debrief
CVE-2026-9102 Altium CVE debrief
CVE-2026-9102 is a critical path traversal issue described in the CVE record and NVD entry for Altium Enterprise Server ComparisonService. The flaw stems from missing filename sanitization in Gerber file upload APIs, allowing an authenticated workspace user to supply a crafted filename in the multipart Content-Disposition header and escape the intended temporary upload directory. The result can be arbitrary file write on the server filesystem, with possible escalation to remote code execution when content-controlled files land in web-accessible locations. The same primitive can also be used to overwrite binaries or configuration files and disrupt service availability.
- Vendor
- Altium
- Product
- Altium Enterprise Server
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Altium Enterprise Server administrators, security teams operating workspace-upload workflows, and defenders responsible for monitoring authenticated upload paths, server filesystem integrity, and web-root exposure. Organizations that allow workspace users to submit Gerber files through ComparisonService should treat this as a high-priority exposure.
Technical summary
The CVE text describes a path traversal weakness in Altium Enterprise Server ComparisonService caused by missing filename sanitization in Gerber upload APIs. An authenticated user can influence the filename carried in the multipart Content-Disposition header, causing the server to write outside the intended temporary upload directory. Because the write primitive can reach arbitrary filesystem locations, impact includes unauthorized file placement, overwrite of application artifacts, denial of service, and potential remote code execution if a writable path maps to executable or web-accessible content. The NVD record assigns CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H, consistent with a network-reachable, low-complexity issue requiring low-privilege authentication.
Defensive priority
Immediate
Recommended defensive actions
- Review Altium's published security advisories for CVE-2026-9102 and apply vendor guidance or updates as soon as they are available.
- Restrict access to ComparisonService and Gerber upload functionality to the smallest feasible set of trusted users and networks.
- Validate that upload handlers normalize paths and reject crafted filenames before files are written to disk.
- Monitor temporary upload directories, application binaries, and configuration paths for unexpected file creation or modification.
- If unauthorized writes are suspected, perform a compromise assessment focused on web-accessible directories and service-account impacts, and rotate or redeploy affected systems as needed.
Evidence notes
This debrief is based only on the supplied CVE description, the NVD modified record, and the referenced official Altium security advisories URL. The CVE text explicitly states path traversal in Altium Enterprise Server ComparisonService via unsanitized filenames in Gerber file upload APIs, with arbitrary file write and possible RCE or service takeover. NVD metadata also lists CWE-22 and CWE-434 as secondary weakness references and includes an official reference to Altium's security advisories page. The structured vendor object is marked low-confidence/needs review, so vendor attribution should be treated cautiously even though the source text points to Altium.
Official resources
-
CVE-2026-9102 CVE record
CVE.org
-
CVE-2026-9102 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
4760f414-e1ae-4ff1-bdad-c7a9c3538b79
Publicly recorded on 2026-05-20 in the supplied CVE and NVD data. No CISA KEV entry was present in the provided corpus at the time of this debrief.