CVE-2026-9129

Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read

Assigner: Altium
Reserved: 20.05.2026 Published: 20.05.2026 Updated: 20.05.2026

A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem.

Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Altium
Product	Altium Enterprise Server
Versions	Default: unaffected affected from 0 to 8.0.4 (excl.)

Vendor

Altium

Product

Altium Enterprise Server

Versions

Default: unaffected

affected from 0 to 8.0.4 (excl.)

Credits

Joris Aerts, Tesla Inc. finder

References

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE

Impacts

CAPEC-126 Path Traversal
CAPEC-639 Probe System Files