CVE-2026-11429 Overview
CVE-2026-11429 is an unauthenticated path traversal vulnerability [CWE-22] in the Vault Service ScriptsController shared by Altium Enterprise Server and Altium 365. Two file upload endpoints construct destination paths from a user-supplied filename component without validation. The file write completes before authentication is checked, so no credentials or session are required. An attacker can place executable content in service-writable directories and achieve remote code execution under the Vault Service account. Altium fixed the issue in Altium Enterprise Server 8.1.1 and remediated Altium 365 commercial and government cloud at the service level.
Critical Impact
Unauthenticated remote attackers can write arbitrary files to any location writable by the Vault Service account, enabling remote code execution with service-level privileges.
Affected Products
- Altium Enterprise Server (versions prior to 8.1.1)
- Altium 365 commercial cloud (remediated at service level)
- Altium 365 government cloud (remediated at service level)
Discovery Timeline
- 2026-06-05 - CVE-2026-11429 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-11429
Vulnerability Analysis
The vulnerability resides in two file upload endpoints exposed by the Vault Service ScriptsController. These endpoints accept HTTP requests containing a filename component that is concatenated into the destination path on disk. The service writes the uploaded content to that path before performing authentication checks. This ordering inverts the standard control flow where authentication must precede any state-changing operation.
Because both Altium Enterprise Server and Altium 365 share the same Vault Service code, the flaw affects on-premises and cloud deployments identically. Successful exploitation yields arbitrary file write with the privileges of the Vault Service account, which typically has broad file system access on the server host.
Root Cause
The root cause is missing input validation on the filename parameter combined with incorrect ordering of authentication and file I/O. Path traversal sequences such as ..\ or absolute paths in the filename component are not sanitized or normalized. The file write logic executes inside the request handler before the authentication filter rejects the unauthenticated request, so the side effect persists even when the request is later denied.
Attack Vector
An unauthenticated attacker reaches the affected endpoints over the network and submits a crafted upload request. The filename field contains traversal sequences that redirect the write to a directory from which the Vault Service later loads or executes code. Common targets include script directories, plugin folders, or web-accessible paths used by the service. Once placed, the malicious file is executed by the service during its normal operation, granting the attacker code execution under the service account.
No verified proof-of-concept code is publicly available. See the Altium Security Advisory for vendor-confirmed technical details.
Detection Methods for CVE-2026-11429
Indicators of Compromise
- Unexpected files appearing in Vault Service directories, particularly script, plugin, or web content folders writable by the service account
- HTTP POST or PUT requests to ScriptsController endpoints containing ..\, ../, or absolute path patterns in filename fields
- Child processes spawned by the Vault Service that do not match its normal execution profile
- Outbound network connections originating from the Vault Service host to unfamiliar destinations following file upload activity
Detection Strategies
- Inspect web server and application logs for requests to ScriptsController upload endpoints from unauthenticated sessions
- Alert on filename parameters containing directory traversal sequences or path separators
- Monitor process creation events where the Vault Service account is the parent of interpreters such as powershell.exe, cmd.exe, or scripting hosts
- Use file integrity monitoring on Vault Service installation directories to detect unauthorized writes
Monitoring Recommendations
- Forward Vault Service application logs and host telemetry to a centralized analytics platform for correlation across upload activity, file writes, and subsequent process execution
- Baseline normal ScriptsController request patterns and alert on deviations in source IP, request volume, or payload structure
- Track service account behavior for new parent-child process relationships or unusual file system access patterns
How to Mitigate CVE-2026-11429
Immediate Actions Required
- Upgrade Altium Enterprise Server to version 8.1.1 or later without delay
- Confirm Altium 365 tenants are running the remediated service version; cloud customers receive the fix automatically from Altium
- Restrict network access to the Vault Service to trusted management networks until patching is verified
- Review Vault Service installation directories for unexpected files created since deployment
Patch Information
Altium has released Altium Enterprise Server 8.1.1, which remediates both vulnerable ScriptsController endpoints. Altium 365 commercial and government cloud instances have been patched at the service level by Altium. Refer to the Altium Security Advisory for download links and detailed upgrade guidance.
Workarounds
- Block external network access to the Vault Service HTTP interface using firewall or reverse proxy rules until the patch is applied
- Run the Vault Service under a least-privileged account with write access limited to directories required for operation
- Apply web application firewall rules that reject upload requests containing path traversal sequences in filename fields
# Example firewall restriction limiting Vault Service access to a management subnet
iptables -A INPUT -p tcp --dport 9780 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9780 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
