Path Traversal in Altium Git Service Allows Remote Code Execution
CVE-2026-11429

9.4CRITICAL

Key Information:

Vendor: Altium
Status: Altium Enterprise Server; Altium 365
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-11429?

A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area.

This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.

Affected Version(s)

Altium 365 Web <= unspecified

Altium Enterprise Server Web 0 < 8.1.1

References

https://www.altium.com/platform/security-compliance/secur...

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Joris Aerts, Tesla Inc.

CVE-2026-11429 Data

JSON