CVE-2026-11414

Published Jun 5, 2026

Last updated 2 days ago

CVSS critical 10.0
Server

Overview

Description
A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials. A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.
Source
4760f414-e1ae-4ff1-bdad-c7a9c3538b79
NVD status
Analyzed
Products
on-prem_enterprise_server

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

4760f414-e1ae-4ff1-bdad-c7a9c3538b79
CWE-22

Social media

Hype score
Not currently trending

  1. 🚨 Critical - Multiple Vulnerabilities Disclosed in Altium Enterprise Server (CVE-2026-11429, CVE-2026-11423, CVE-2026-11419, CVE-2026-11420, CVE-2026-11414) A cascade of severe flaws has been disclosed affecting Altium Enterprise Server, including unauthenticated path travers

    @UpwindMDR

    6 Jun 2026

    75 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2026-11414 Unauthenticated Arbitrary File Access in Altium Enterprise Server... https://t.co/2M4BfXShod Customizable Vulnerability Alerts: https://t.co/U7998fz7yk

    @VulmonFeeds

    6 Jun 2026

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following VulnerabilityCVE-2026-54420
  2. Check Point Security Gateway Improper Authentication VulnerabilityCVE-2026-50751
  3. Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. No authentication, session, or credentials are required. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, exploitation can be escalated to remote code execution in the context of the service account, and can disclose deployment package contents. Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering.CVE-2026-11420
  4. A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive.CVE-2026-11419
  5. Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data VulnerabilityCVE-2026-45247

References

Sources include official advisories and independent security research.