CVE-2026-11423 Overview
CVE-2026-11423 is a path traversal vulnerability [CWE-22] in the Altium Enterprise Server Collaboration Service. The flaw resides in the Mechanical CAD (MCAD) and Simulation file download flows, which improperly handle user-supplied filenames. An authenticated user can submit a collaboration message containing a crafted filename. The server later constructs the download path from that value without validation, enabling arbitrary file reads from the host filesystem. Readable files include the server's master configuration, which stores credentials for privileged accounts. Altium 365 cloud deployments are not affected by this issue.
Critical Impact
An authenticated attacker can read the server's master configuration, recover privileged credentials, authenticate as a system administrator, and take full control of the Altium Enterprise Server.
Affected Products
- Altium Enterprise Server (on-premises) Collaboration Service
- MCAD file download workflow
- Simulation file download workflow
Discovery Timeline
- 2026-06-05 - CVE-2026-11423 published to the National Vulnerability Database (NVD)
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-11423
Vulnerability Analysis
The vulnerability is a classic path traversal weakness [CWE-22] affecting two file download flows in the Altium Enterprise Server Collaboration Service. A regular authenticated user posts a collaboration message that includes a filename field. The server reuses the supplied filename when constructing the absolute path used to read content for the download response. Because the filename is not normalized or constrained to a permitted directory, sequences such as ..\ or absolute paths resolve outside the intended collaboration storage location. The result is arbitrary file read with the privileges of the Collaboration Service process. Files of interest include the server's master configuration, which stores credentials for privileged accounts. Recovering those credentials lets the attacker authenticate as a system administrator and pivot to full server control.
Root Cause
The root cause is improper handling of user-supplied filenames in the MCAD and Simulation download flows. The service trusts the client-provided filename embedded in a collaboration message and passes it directly into file-path construction. There is no canonicalization, no rejection of traversal sequences, and no enforcement that the resolved path remains inside the designated collaboration directory.
Attack Vector
Exploitation requires network access to the Altium Enterprise Server and a valid low-privilege user account. The attacker authenticates, submits a collaboration message with a filename containing traversal sequences pointing at the master configuration file, and then triggers the associated download flow. The server returns the targeted file's contents. The attacker extracts privileged credentials from the configuration and reauthenticates as a system administrator.
No verified public exploit code is available. See the Altium Security Advisory for vendor technical details.
Detection Methods for CVE-2026-11423
Indicators of Compromise
- Collaboration messages containing filenames with traversal sequences such as ..\, ../, or absolute paths referencing system or configuration directories.
- Collaboration Service download requests resolving to files outside the designated MCAD or Simulation storage paths.
- Unexpected reads of the Altium Enterprise Server master configuration file by the Collaboration Service process.
- Administrator logins from accounts or source addresses previously associated with low-privilege users.
Detection Strategies
- Inspect Collaboration Service logs for download requests whose resolved file paths fall outside expected MCAD and Simulation directories.
- Alert on filename fields in collaboration messages that contain .., backslash traversal, drive letters, or UNC prefixes.
- Correlate file-read events on the master configuration with subsequent administrator authentications from the same user or session.
Monitoring Recommendations
- Forward Altium Enterprise Server application and access logs to a centralized analytics platform for retention and search.
- Monitor privileged account logons for sudden activity from previously low-privilege users.
- Track filesystem access by the Collaboration Service service account and alert on reads of credential-bearing files.
How to Mitigate CVE-2026-11423
Immediate Actions Required
- Apply the Altium security update for the Enterprise Server as published in the Altium Security Advisory.
- Rotate all credentials stored in the server's master configuration, including service and administrator accounts, after patching.
- Restrict network access to the Collaboration Service to trusted engineering networks until patching is complete.
- Review Collaboration Service logs for prior exploitation attempts and unexpected administrator logins.
Patch Information
Altium has published fixed builds for the Enterprise Server. Refer to the Altium Security Advisory for the specific fixed version and upgrade instructions. Altium 365 cloud deployments are not affected and require no customer action.
Workarounds
- Limit Collaboration Service accounts to trusted users until the patched build is deployed.
- Place the Enterprise Server behind a reverse proxy or web application firewall that blocks request bodies containing path traversal sequences in collaboration message fields.
- Tighten filesystem permissions on the service account so the master configuration is readable only by required processes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
