CVE-2026-11424 Overview
CVE-2026-11424 is a server-side request forgery (SSRF) vulnerability in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit input that the server treats as a URL and uses to issue an outbound HTTP GET request. The server performs no URL validation or destination filtering and returns the response body to the caller. Attackers can reach internal services and cloud metadata endpoints that are not exposed to the public network. The weakness maps to [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. Altium fixed the issue in Altium Enterprise Server 8.1.1 and remediated Altium 365 at the service level.
Critical Impact
Authenticated attackers can pivot through the GraphQL service to retrieve contents of internal HTTP endpoints, including cloud instance metadata, enabling reconnaissance and sensitive data disclosure.
Affected Products
- Altium Enterprise Server prior to version 8.1.1
- Altium 365 (cloud service, remediated server-side)
- Shared GraphQL service component used by both products
Discovery Timeline
- 2026-06-05 - CVE-2026-11424 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-11424
Vulnerability Analysis
The flaw lives in a GraphQL resolver that accepts user-supplied input and uses it as the target URL for an outbound HTTP GET request. The server issues the request from its own network position and returns the response body to the authenticated caller. Because the GraphQL service operates inside the Altium application infrastructure, requests originate from a trusted source address. Attackers use this primitive to query internal addresses, private subnets, and cloud provider metadata services. The request primitive is constrained to HTTP GET, and the attacker cannot inject custom headers. Despite these constraints, the response body is returned verbatim, which is sufficient to read configuration data, internal API responses, and credential material exposed by metadata endpoints.
Root Cause
The GraphQL resolver does not validate or filter URLs supplied by the client. There is no allowlist of permitted hosts, no scheme restriction, no DNS rebinding protection, and no block for link-local or private address ranges. The service trusts authenticated input and forwards it directly to an HTTP client. The CWE-200 mapping reflects the disclosure of internal data that should not be reachable from outside the network boundary.
Attack Vector
Exploitation requires a valid authenticated session against the GraphQL endpoint. The attacker submits a GraphQL operation whose URL-typed argument points to an internal target, such as http://169.254.169.254/latest/meta-data/ on AWS-hosted deployments or an internal microservice listening on 127.0.0.1. The server fetches the URL and returns the response body in the GraphQL response. Attackers chain requests to enumerate internal hosts, harvest cloud credentials from instance metadata services, and map adjacent services for further attack staging.
No verified public exploit code is available. Refer to the Altium Security Advisories for vendor technical details.
Detection Methods for CVE-2026-11424
Indicators of Compromise
- Outbound HTTP GET requests from the Altium Enterprise Server or GraphQL service host to 169.254.169.254, 127.0.0.1, or RFC1918 ranges that fall outside normal application traffic.
- GraphQL operation logs containing URL-typed arguments referencing internal hostnames, loopback addresses, or cloud metadata endpoints.
- Unusual volumes of GraphQL queries from a single authenticated principal correlated with anomalous egress fetches.
Detection Strategies
- Inspect application logs for GraphQL fields that accept URL inputs and correlate them with outbound HTTP client activity from the same process.
- Apply egress filtering telemetry to flag connections from Altium service hosts targeting metadata services or private network ranges.
- Hunt for authenticated GraphQL sessions issuing repeated requests with varying URL parameters, which indicates internal scanning behavior.
Monitoring Recommendations
- Enable verbose request logging on the GraphQL service and forward to a SIEM for correlation with network egress events.
- Monitor cloud provider metadata service access logs where available, including IMDSv2 enforcement signals on AWS.
- Alert on any HTTP response bodies returned by the GraphQL service that contain credential patterns such as AccessKeyId, SecretAccessKey, or JWT structures.
How to Mitigate CVE-2026-11424
Immediate Actions Required
- Upgrade Altium Enterprise Server to version 8.1.1 or later. Altium 365 customers receive the fix automatically at the service level.
- Audit GraphQL access logs for evidence of SSRF probing against internal or metadata endpoints prior to patching.
- Rotate any cloud instance credentials, API tokens, or secrets reachable from the Altium service host if exploitation is suspected.
Patch Information
Altium Enterprise Server is fixed in version 8.1.1. Altium 365 has been remediated at the service level and requires no customer action. Consult the Altium Security Advisories page for release notes and download instructions.
Workarounds
- Enforce IMDSv2 with hop-limit of 1 on AWS-hosted Altium Enterprise Server deployments to block metadata theft via SSRF.
- Restrict egress traffic from the Altium server host using host firewall or security group rules to only the destinations required for normal operation.
- Place the GraphQL service behind a forward proxy that denies requests to RFC1918, loopback, and link-local address ranges.
# Example AWS CLI command to enforce IMDSv2 and limit metadata hop count
aws ec2 modify-instance-metadata-options \
--instance-id i-0123456789abcdef0 \
--http-tokens required \
--http-put-response-hop-limit 1 \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
