Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write
Summary
| CVE | CVE-2026-9102 |
|---|---|
| State | PUBLISHED |
| Assigner | Altium |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-20 20:16:41 UTC |
| Updated | 2026-05-21 15:24:25 UTC |
| Description | A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem. Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service. |
Risk And Classification
Primary CVSS: v4.0 9.4 CRITICAL from 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.006250000 probability, percentile 0.704230000 (date 2026-05-27)
Problem Types: CWE-22 | CWE-434 | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE-434 CWE-434 Unrestricted upload of file with dangerous type
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 4760f414-e1ae-4ff1-bdad-c7a9c3538b79 | Secondary | 9.4 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | CVSS | 9.4 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
HighSub Integrity
HighSub Availability
HighCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Altium | Altium Enterprise Server | affected 8.0.4 semver | Web |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.altium.com/platform/security-compliance/security-advisories | 4760f414-e1ae-4ff1-bdad-c7a9c3538b79 | www.altium.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Joris Aerts, Tesla Inc. (en)
There are currently no legacy QID mappings associated with this CVE.