External risk intelligence

Altium Enterprise Server Path Traversal and Arbitrary File Write Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-11420

Two path traversal flaws in Altium Enterprise Server's Network Installation Service permit unauthenticated attackers to write arbitrary files to the server or read package archives, potentially enabling remote code execution or disclosure of sensitive data. Altium 365 cloud deployments are unaffected.

3Halo Surface Signal

Path Traversal

Altium On Prem Enterprise Server

before 8.1.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-11420

The Network Installation Service in Altium Enterprise Server is intended for managing software deployments within an organization. While the vulnerability is network-accessible without authentication, such services are typically deployed within internal corporate networks for technician or developer access rather than being directly exposed to the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-11420

Yes

CVE-2026-11420 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Path traversal vulnerabilities in Altium Enterprise Server can allow unauthenticated attackers to write arbitrary files or execute remote code, impacting PCI scan relevance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Altium Enterprise Server's Network Installation Service, allowing unauthenticated attackers to potentially write arbitrary files or read sensitive information on the server. This could lead to the execution of malicious code on the affected systems. Altium 365 cloud deployments are not impacted by this issue.

  • Attackers can write/read files without logging in.
  • Affects on-premise servers, not cloud deployments.
  • Confirm relevance and exposure of on-premise installations.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker on the network can interact with the Altium Enterprise Server's Network Installation Service. This could allow them to write arbitrary files to the server or read sensitive archive files. The vulnerability may lead to remote code execution or disclosure of deployment package contents.

  • No authentication required.
  • Write/read files via Network Installation Service.
  • Remote code execution or data disclosure.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact the integrity and confidentiality of data on Altium Enterprise Server deployments. An unauthenticated attacker could write arbitrary files to the server, potentially leading to the execution of malicious code, or read sensitive information contained within package archives. This risk exists when the Network Installation Service is accessible over the network.

  • Server files and application binaries at risk.
  • Arbitrary file writes and reads are possible.
  • Remote code execution and data disclosure may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

Altium Enterprise Server deployments using the Network Installation Service (NIS) are at risk from unauthenticated attackers who can write arbitrary files or read package archives. This could lead to remote code execution or disclosure of sensitive deployment information. The first practical step is to identify all instances of the affected on-premise Altium Enterprise Server, confirm their network accessibility, and identify the accountable owner before planning remediation.

  • Identify affected on-premise deployments.
  • Verify external reachability and business criticality.
  • Plan remediation based on identified ownership.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Altium Enterprise Server and why does it use a Network Installation Service?

Altium Enterprise Server is a platform for managing electronic design data and collaboration. Its Network Installation Service (NIS) acts as a centralized component to streamline the deployment and distribution of software packages and updates across an organization's workstations, ensuring engineers remain on standardized tool versions.

What does path traversal mean in the context of CVE-2026-11420?

This vulnerability involves Improper Limitation of a Pathname, commonly known as path traversal (CWE-22), alongside missing authentication (CWE-306). It essentially means the service fails to validate user requests, allowing an attacker to manipulate file paths. By providing specially crafted inputs, they can navigate outside intended directories to read sensitive package archives or overwrite critical server files and binaries.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending malicious network requests directly to the Network Installation Service. Because the service lacks any authentication or session requirements, no preconditions like login credentials or prior access are needed. It is important to note that Altium 365 cloud deployments are not affected, as they do not include this specific installation service component.

Is my Altium Enterprise Server installation at risk?

According to Halo Surface Signal, risk depends on network placement. While the service is reachable without authentication, it is typically deployed within internal corporate networks rather than public-facing ones. If your server is accessible from the broader network, you face higher risk. You should verify if the service is reachable by unauthorized segments of your network.

What is the first step to address CVE-2026-11420?

You should immediately audit your infrastructure to locate all on-premise instances of Altium Enterprise Server running versions prior to 8.1.1. Once identified, confirm which instances are accessible over the network and verify their current patch level. Coordinate with your IT or security team to restrict unauthorized network access to these services while you prepare for the necessary software updates.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified