A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to…

CVE-2026-11419 is a CWE-22 path traversal in the Altium Enterprise Server Vault Service UploadController. The vulnerable flow is described as an image-upload request where a regular authenticated user can supply a crafted absolute path so the configured storage root is ignored, turning a normal upload into an arbitrary file write anywhere the Altium service account can write. Based on Altium's April 1, 2026 release notes and the pattern of adjacent 2026 Enterprise Server traversal fixes, the most likely affected range is on-prem Altium Enterprise Server versions before 8.0.4; Altium 365 cloud is not affected.

In practice this is worse than a normal authenticated file upload bug because the primitive is server-side arbitrary write, which is how you get to config overwrite, binary replacement, web-accessible payload placement, and service takeover. But it is not CRITICAL in real enterprise conditions because the chain starts with authenticated remote access, is limited to the on-prem product population, and depends on service-account write permissions plus a useful target path to turn file write into durable compromise.

Why this verdict

• Arbitrary file write is the real issue: once the storage root can be bypassed, this stops being a benign upload bug and becomes overwrite-or-drop-anywhere the service account can write.
• Authentication is major downward pressure: the attacker needs a normal workspace account or stolen session first, which makes this a post-initial-access vulnerability in many enterprises.
• On-prem only narrows exposure: the cloud product is out of scope, so the reachable population is the subset still running self-managed Enterprise Server.
• Regular user is enough: despite the auth requirement, this does not appear to require admin privileges, so compromise of any ordinary account can be enough to start the chain.
• Low exploitation signals matter: EPSS is low, KEV is negative, and I found no public PoC or campaign reporting, which argues against a CRITICAL rush score.

Why not higher?

I am not calling this CRITICAL because it is not pre-auth and not cloud-wide. The attack population is constrained by three stacked frictions: the target must be running the on-prem product, the attacker must reach it, and they must already have a valid authenticated workspace user context before the traversal matters.

Why not lower?

I am not dropping this to MEDIUM because the primitive is still arbitrary file write on the server, not a cosmetic upload bypass. On a Windows/IIS application server, arbitrary write is one configuration mistake away from webshell placement, config theft, service takeover, or destructive overwrite.

1. Restrict exposure to trusted paths only — Put Enterprise Server behind VPN, reverse proxy, or source-IP restrictions and remove unnecessary direct access, especially any externally reachable HTTP/HTTPS bindings. For a HIGH verdict, deploy this within 30 days; it cuts off the largest real-world slice of the attack population before credentials can be used.
2. Tighten workspace authentication — Enforce SSO/MFA, disable stale accounts, and reduce who actually has workspace access because this bug needs a valid authenticated user. For a HIGH verdict, complete this within 30 days; shrinking the authenticated user pool directly shrinks exploitability.
3. Harden the Altium service account and writable paths — Review the Windows service identity and remove write access to IIS web roots, application binaries, startup locations, and high-value config paths wherever possible. For a HIGH verdict, do this within 30 days; it turns many arbitrary-write outcomes into dead ends instead of RCE.
4. Watch for suspicious file writes under Altium and IIS directories — Enable Sysmon/EDR/FIM coverage on Altium install paths, storage roots, IIS content directories, and config files so arbitrary-write attempts create high-signal alerts. For a HIGH verdict, enable within 30 days; this is your best compensating visibility if patching is not yet complete.

Run this on the target Windows server that hosts Altium Enterprise Server, from an elevated PowerShell session if possible so registry and program directories are readable. Invoke it exactly as powershell -ExecutionPolicy Bypass -File .\check-altium-cve-2026-11419.ps1; it needs only local read access and reports VULNERABLE, PATCHED, or UNKNOWN based on discovered product version.

# check-altium-cve-2026-11419.ps1

# Detect likely exposure to CVE-2026-11419 by checking installed Altium Enterprise Server version.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$fixedVersion = [version]'8.0.4'
$found = @()

function Add-Candidate {
    param(
        [string]$Source,
        [string]$Name,
        [string]$VersionString,
        [string]$Path
    )
    if ([string]::IsNullOrWhiteSpace($VersionString)) { return }
    try {
        $v = [version]($VersionString -replace '[^0-9\.]','')
        $script:found += [pscustomobject]@{
            Source  = $Source
            Name    = $Name
            Version = $v
            Raw     = $VersionString
            Path    = $Path
        }
    } catch {}
}

# 1) Uninstall registry keys

$uninstallRoots = @(
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
    'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
foreach ($root in $uninstallRoots) {
    Get-ItemProperty $root | ForEach-Object {
        $name = $_.DisplayName
        if ($name -match 'Altium' -and ($name -match 'Enterprise Server|On-Prem Enterprise Server|Concord Pro|NEXUS Server|Vault')) {
            Add-Candidate -Source 'Registry-Uninstall' -Name $name -VersionString $_.DisplayVersion -Path $_.InstallLocation
        }
    }
}

# 2) Common install directories

$dirs = @(
    "$env:ProgramFiles\Altium",
    "$env:ProgramFiles(x86)\Altium",
    'C:\Program Files\Altium',
    'C:\Program Files (x86)\Altium'
) | Select-Object -Unique

foreach ($dir in $dirs) {
    if (-not (Test-Path $dir)) { continue }

    Get-ChildItem -Path $dir -Directory -Recurse -Depth 2 | ForEach-Object {
        if ($_.FullName -match 'Enterprise Server|Concord Pro|NEXUS Server|Vault') {
            # Try a few likely executable/DLL files for ProductVersion

            $files = @(
                Get-ChildItem -Path $_.FullName -Filter '*.exe' -File -Recurse -Depth 2,
                Get-ChildItem -Path $_.FullName -Filter '*.dll' -File -Recurse -Depth 2
            ) | Select-Object -Unique

            foreach ($f in $files) {
                try {
                    $ver = (Get-Item $f.FullName).VersionInfo.ProductVersion
                    if ($ver) {
                        Add-Candidate -Source 'FileVersion' -Name $f.Name -VersionString $ver -Path $f.FullName
                    }
                } catch {}
            }
        }
    }
}

if (-not $found -or $found.Count -eq 0) {
    Write-Output 'UNKNOWN - Could not determine an installed Altium Enterprise Server version from registry or filesystem.'
    exit 2
}

$best = $found | Sort-Object Version -Descending | Select-Object -First 1
Write-Output ("Detected: {0} | Version: {1} | Source: {2} | Path: {3}" -f $best.Name, $best.Version, $best.Source, $best.Path)

if ($best.Version -lt $fixedVersion) {
    Write-Output 'VULNERABLE - Installed version is older than 8.0.4 and should be treated as likely exposed to CVE-2026-11419.'
    exit 1
}
else {
    Write-Output 'PATCHED - Installed version is 8.0.4 or newer.'
    exit 0
}

Sources

1. Altium Security Advisories
2. Altium On-Prem Enterprise Server 8.0 Release Notes
3. Altium KB: Disable HTTP Access for Enterprise Server
4. Altium Documentation: Information for IT Departments
5. Altium Documentation: Adding Users & Roles
6. FIRST EPSS
7. CISA Known Exploited Vulnerabilities Catalog
8. VulDB record for CVE-2026-11419