Path Traversal Vulnerability in Altium Enterprise Server's Viewer StorageController
CVE-2026-9129

9.4CRITICAL

Key Information:

Vendor: Altium
Status: Altium Enterprise Server
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-9129?

A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. This vulnerability allows authenticated users, on on-premise deployments that utilize local filesystem storage, to manipulate API requests by supplying a URL-encoded absolute path. This manipulation can lead to the configured storage root being disregarded, enabling arbitrary file access from the server's filesystem. The consequence of such exploitation includes the potential disclosure of sensitive information such as the server's master configuration, which contains critical data like database credentials, signing key locations, certificate passwords, and OAuth secrets. Notably, cloud deployments are unaffected, as they operate using object storage and do not employ this vulnerable component.

Affected Version(s)

Altium Enterprise Server Web 0 < 8.0.4

References

https://www.altium.com/platform/security-compliance/secur...

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

Credit

Joris Aerts, Tesla Inc.

CVE-2026-9129 Data

JSON