CVE-2026-9129 Altium CVE debrief

Who should care

Organizations running on-premises Altium Enterprise Server deployments with local filesystem storage should prioritize this immediately, especially teams responsible for authentication, Viewer services, configuration secrets, and server hardening. Security operations teams should also review any environment where the server master configuration or adjacent credential material is stored locally.

Technical summary

The vulnerability is a path traversal issue in the Viewer StorageController caused by improper handling of file path route parameters. An authenticated user can provide a URL-encoded absolute path, such as an encoded drive letter, in a Viewer storage API request. That input can discard the configured storage root and redirect file access to arbitrary filesystem locations. NVD lists CWE-22 and CWE-200, aligning with arbitrary file access and information disclosure. Because readable files may include the master configuration and secret material, the practical impact can extend beyond file disclosure to full server and data compromise.

Defensive priority

Critical priority. The issue is remotely reachable, requires only low-privilege authenticated access, and can expose high-value secrets that may enable broader compromise. For on-prem deployments using local filesystem storage, treat this as an urgent remediation item.

Recommended defensive actions

• Confirm whether the deployment is on-premises and uses local filesystem storage; according to the source description, cloud deployments are not affected.
• Review the vendor advisory reference and apply the vendor-recommended fix or mitigation as soon as it is available.
• Restrict access to Viewer storage APIs to trusted administrative networks and roles only until remediation is complete.
• Audit server-side configuration and secret handling, especially master configuration files, database credentials, signing key locations, certificate passwords, and OAuth secrets.
• Rotate any secrets that may have been exposed if the vulnerable configuration was reachable in production.
• Monitor authentication logs and file-access anomalies for unusual URL-encoded path inputs or requests to Viewer storage endpoints.

Evidence notes

This debrief is based on the supplied NVD record for CVE-2026-9129, which states that the issue is a path traversal vulnerability in Altium Enterprise Server Viewer StorageController affecting on-premises deployments that use local filesystem storage. The record says an authenticated user can supply a URL-encoded absolute path to cause the storage root to be discarded and arbitrary files to be read. The supplied description further states that readable files can include the master configuration with database credentials, signing key locations, certificate passwords, and OAuth secrets, and that cloud deployments are not affected. NVD metadata lists CWE-22 and CWE-200 and a CVSS 4.0 vector consistent with high confidentiality, integrity, and availability impact. The source reference points to Altium's security advisories page.

Official resources