CVE-2026-9129
Deferred Deferred - Pending Action
Path Traversal in Altium Enterprise Server Viewer

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Altium

Description
A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem. Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-08
NVD
CVE-2026-9129
EUVD
EUVD-2026-31148
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
altium enterprise_server_viewer *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring and analyzing API requests to the Altium Enterprise Server Viewer StorageController for suspicious URL-encoded absolute file path parameters. Specifically, look for requests where an authenticated user supplies encoded drive letters or absolute paths that bypass the configured storage root.

A practical approach is to inspect web server logs or use network monitoring tools to identify such requests. For example, you can use command-line tools like grep to search for URL-encoded patterns resembling absolute paths in the logs.

  • grep -iE '%5c|%2f|%3a' /path/to/altium/logs/access.log
  • grep -iE 'storage.*(\%5c|\%2f|\%3a)' /path/to/altium/logs/access.log

Additionally, you can use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests to the Viewer storage API endpoint and analyze for suspicious encoded paths.

  • tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -iE '%5c|%2f|%3a'
Executive Summary

This vulnerability is a path traversal issue in the Altium Enterprise Server Viewer StorageController. It occurs because the system improperly handles file path route parameters. Specifically, on on-premise deployments using local filesystem storage, an authenticated user can send a URL-encoded absolute path in a Viewer storage API request. This causes the configured storage root directory to be ignored, allowing the user to read arbitrary files from the server's filesystem.

The files that can be read include critical server configuration files containing database credentials, signing key locations, certificate passwords, and OAuth secrets. Exploiting this vulnerability can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected because they use object storage and do not enable this vulnerable component.

Impact Analysis

Exploitation of this vulnerability can have severe impacts. An attacker with regular authenticated access can read arbitrary files on the server, including sensitive configuration files that store database credentials, signing keys, certificate passwords, and OAuth secrets.

This can lead to full disclosure of all server secrets, resulting in complete compromise of the server and its data. Such a compromise can allow unauthorized access, data theft, and potentially further attacks on connected systems.

It is important to note that only on-premise deployments using local filesystem storage are affected; cloud deployments using object storage are not vulnerable.

Mitigation Strategies

To mitigate this vulnerability, ensure that your deployment is not using on-premise local filesystem storage for the Altium Enterprise Server Viewer StorageController component, as cloud deployments are not affected.

Additionally, restrict or review authenticated user access to the Viewer storage API to prevent supplying URL-encoded absolute paths that could bypass storage root restrictions.

Monitor Altium's official security advisories for patches or updates addressing this vulnerability.

Compliance Impact

The vulnerability allows an authenticated user to read arbitrary files on the server filesystem, including sensitive server secrets such as database credentials, signing key locations, certificate passwords, and OAuth secrets.

This exposure of sensitive information could lead to a full compromise of the server and its data, which may result in violations of data protection regulations like GDPR and HIPAA that require safeguarding of personal and sensitive data.

However, the provided information does not explicitly discuss compliance impacts or mention specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart