CVE-2026-11420

Path Traversal in Altium Enterprise Server NIS Allows Unauthenticated Arbitrary File Write and File Read

Assigner: Altium
Reserved: 05.06.2026 Published: 05.06.2026 Updated: 05.06.2026

Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. No authentication, session, or credentials are required.

Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, exploitation can be escalated to remote code execution in the context of the service account, and can disclose deployment package contents. Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Altium
Product	Altium Enterprise Server
Versions	Default: unaffected affected from 0 to 8.1.1 (excl.)

Vendor

Altium

Product

Altium Enterprise Server

Versions

Default: unaffected

affected from 0 to 8.1.1 (excl.)

Credits

Joris Aerts, Tesla Inc. finder

References

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-306 Missing authentication for critical function CWE

Impacts

CAPEC-126 Path Traversal
CAPEC-115 Authentication Bypass