A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper…

CVE-2026-11423 is a path traversal bug in the Altium Enterprise Server Collaboration Service. A regular authenticated user can plant a crafted filename in collaboration content, and when the MCAD or Simulation download flow later builds a server-side path from that filename, the service can be tricked into reading arbitrary files from the Windows host. The record and secondary references indicate on-premise Altium Enterprise Server is affected, Altium 365 cloud is not, and the practical fixed train is 8.1.1; in other words, treat 8.1.0 and earlier as exposed unless your vendor support channel says otherwise.

In pure impact terms this is ugly because arbitrary file read against the server can expose LocalVault.ini and related secrets, which can collapse straight into administrator access and full platform compromise. But the vendor-style 'critical by consequence' instinct overstates real-world urgency for most fleets: the attack requires a normal authenticated workspace user, hits a narrower on-prem population rather than the broader cloud estate, and there is no current KEV listing or exploitation evidence. That pushes it below internet-wormable territory, but not by much once you consider how much authority a 'mere user' can convert out of one server config file.

Why this verdict

• Post-authenticated remote only: this is not pre-auth and not wormable. Requiring any valid workspace user sharply reduces reachable population compared with edge-facing unauthenticated RCE.
• On-prem only: Altium 365 cloud is not affected, which cuts exposure down to self-hosted Enterprise Server estates rather than the full platform install base.
• Impact is still near-worst-case: once reached, arbitrary file read against a server that stores privileged config and secrets can collapse into admin authentication and full server control.
• No exploitation signal: no KEV listing, no public campaign reporting, and a very low EPSS value all push against a CRITICAL rating.
• Detection coverage is weak: authenticated business-logic path traversal often slips past unauthenticated scanners and perimeter controls, so if an attacker already has a foothold, this may be quiet.

Why not higher?

I am not calling this CRITICAL because every successful path starts with a prior compromise or legitimate user presence. That prerequisite implies the attacker is already inside your trust boundary, and modern enterprise controls such as SSO, VPNs, IP allowlists, and account lifecycle management remove a large share of theoretical exposure. No active exploitation evidence also matters here.

Why not lower?

I am not dropping this to MEDIUM because the payload is not a low-consequence file read. On a typical Enterprise Server host, reading master configuration and secret-bearing files can hand over administrator-equivalent control of the platform, its data, and potentially adjacent integration trust. The blast radius is too large for backlog treatment.

1. Constrain reachability — Put Enterprise Server behind VPN, private access, or strict source-IP allowlists if it is reachable from broad user networks. This directly attacks the biggest real-world amplifier for authenticated bugs: too many people can hit the login surface. For a HIGH verdict, deploy within 30 days.
2. Reduce who has any account at all — Purge dormant workspace users, contractor accounts, shared accounts, and unnecessary service identities from Enterprise Server and upstream IdP groups. This vulnerability starts at PR:L, so every account you remove reduces the attacker population that can trigger it. For a HIGH verdict, complete the access cleanup within 30 days.
3. Watch the config crown jewels — Add EDR or file access monitoring for reads of LocalVault.ini, adjacent secret files, and unusual archive/download activity from the Collaboration Service context. You are looking for low-privileged app sessions followed by sensitive local file access and then privileged logins. Stand this up within 30 days.
4. Segment the server — Restrict Enterprise Server outbound and lateral connectivity to only what it actually needs, especially database, PLM, and identity integration paths. This does not stop the traversal itself, but it limits what an attacker can do after harvesting server-side secrets. Apply within 30 days.
5. Rotate secrets stored on-host after upgrade — If you suspect the server may already have been read, rotate privileged credentials, OAuth secrets, certificates, and service account material stored or referenced by the server. This is particularly important because the value of the bug is not the file read alone, but the reusability of what is in those files. Execute rotation as part of the post-fix hardening cycle, within 30 days for exposed instances.

Run this on the target Windows Enterprise Server host in an elevated PowerShell session, or a standard session if you already have read access to the install directory and uninstall registry. Invoke it as powershell -ExecutionPolicy Bypass -File .\check-altium-cve-2026-11423.ps1. It checks common Altium install and registry locations to determine whether the installed Enterprise Server version is before 8.1.1.

# check-altium-cve-2026-11423.ps1\n# Purpose: Determine likely exposure to CVE-2026-11423 on a Windows Altium Enterprise Server host\n# Logic: Versions earlier than 8.1.1 are treated as VULNERABLE; 8.1.1 or later as PATCHED\n# Exit codes: 0 = PATCHED, 1 = VULNERABLE, 2 = UNKNOWN\n\n[CmdletBinding()]\nparam()\n\nfunction Write-Result {\n    param(\n        [string]$State,\n        [string]$Reason,\n        [int]$Code\n    )\n    Write-Output "$State - $Reason"\n    exit $Code\n}\n\nfunction Parse-Version {\n    param([string]$Text)\n    if ([string]::IsNullOrWhiteSpace($Text)) { return $null }\n    $m = [regex]::Match($Text, '(\\d+)\\.(\\d+)\\.(\\d+)(?:\\.(\\d+))?')\n    if (-not $m.Success) { return $null }\n    try {\n        $maj = [int]$m.Groups[1].Value\n        $min = [int]$m.Groups[2].Value\n        $bld = [int]$m.Groups[3].Value\n        $rev = if ($m.Groups[4].Success) { [int]$m.Groups[4].Value } else { 0 }\n        return [version]::new($maj, $min, $bld, $rev)\n    } catch {\n        return $null\n    }\n}\n\n$target = [version]::new(8,1,1,0)\n$candidates = New-Object System.Collections.Generic.List[object]\n\n# 1) Uninstall registry keys\n$regPaths = @(\n    'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*',\n    'HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*'\n)\nforeach ($rp in $regPaths) {\n    try {\n        Get-ItemProperty -Path $rp -ErrorAction SilentlyContinue | ForEach-Object {\n            $name = $_.DisplayName\n            $ver  = $_.DisplayVersion\n            if ($name -match 'Altium.*(Enterprise Server|On-Prem Enterprise Server|Altium365)') {\n                $pv = Parse-Version $ver\n                if ($pv) {\n                    $candidates.Add([pscustomobject]@{ Source='Registry'; Path=$_.PSPath; Version=$pv; Raw=$ver; Name=$name })\n                }\n            }\n        }\n    } catch {}\n}\n\n# 2) LocalVault.ini under common install roots\n$iniPaths = @(\n    'C:\\Program Files (x86)\\Altium\\Altium365\\LocalVault.ini',\n    'C:\\Program Files\\Altium\\Altium365\\LocalVault.ini'\n)\nforeach ($ini in $iniPaths) {\n    if (Test-Path -LiteralPath $ini) {\n        try {\n            $content = Get-Content -LiteralPath $ini -ErrorAction Stop\n            foreach ($line in $content) {\n                if ($line -match '(?i)(Version|Build|ServerVersion)\\s*=\\s*(.+)$') {\n                    $pv = Parse-Version $Matches[2]\n                    if ($pv) {\n                        $candidates.Add([pscustomobject]@{ Source='LocalVault.ini'; Path=$ini; Version=$pv; Raw=$Matches[2]; Name='LocalVault.ini' })\n                    }\n                }\n            }\n        } catch {}\n    }\n}\n\n# 3) File version from likely binaries\n$filePaths = @(\n    'C:\\Program Files (x86)\\Altium\\Altium365\\Altium.Server.exe',\n    'C:\\Program Files (x86)\\Altium\\Altium365\\Bin\\Altium.Server.exe',\n    'C:\\Program Files (x86)\\Altium\\Altium365\\Web\\bin\\*',\n    'C:\\Program Files\\Altium\\Altium365\\Altium.Server.exe'\n)\nforeach ($fp in $filePaths) {\n    try {\n        Get-Item -Path $fp -ErrorAction SilentlyContinue | ForEach-Object {\n            if (-not $_.PSIsContainer -and $_.VersionInfo -and $_.VersionInfo.FileVersion) {\n                $pv = Parse-Version $_.VersionInfo.FileVersion\n                if ($pv) {\n                    $candidates.Add([pscustomobject]@{ Source='FileVersion'; Path=$_.FullName; Version=$pv; Raw=$_.VersionInfo.FileVersion; Name=$_.Name })\n                }\n            }\n        }\n    } catch {}\n}\n\nif ($candidates.Count -eq 0) {\n    Write-Result -State 'UNKNOWN' -Reason 'Could not determine an Altium Enterprise Server version from registry, LocalVault.ini, or common binary paths.' -Code 2\n}\n\n$best = $candidates | Sort-Object Version -Descending | Select-Object -First 1\n\nif ($best.Version -lt $target) {\n    Write-Result -State 'VULNERABLE' -Reason ("Detected version {0} from {1} ({2}); versions earlier than 8.1.1 should be treated as exposed to CVE-2026-11423." -f $best.Raw, $best.Source, $best.Path) -Code 1\n} elseif ($best.Version -ge $target) {\n    Write-Result -State 'PATCHED' -Reason ("Detected version {0} from {1} ({2}); 8.1.1 or later is treated as fixed for CVE-2026-11423." -f $best.Raw, $best.Source, $best.Path) -Code 0\n} else {\n    Write-Result -State 'UNKNOWN' -Reason 'Version comparison failed unexpectedly.' -Code 2\n}

Sources

1. Altium Security Advisories
2. Altium On-Prem Enterprise Server 8.1 Release Notes
3. Altium On-Prem Enterprise Server IT Documentation
4. VulDB CVE-2026-11423
5. Inventive HQ CVE-2026-11423
6. FIRST EPSS
7. CISA Known Exploited Vulnerabilities Catalog
8. Santa Fe Cyber CVE Feed Entry