Critical Altium Enterprise Server Flaws Grant RCE and Database Access

Altium Enterprise Server, the backbone platform used by engineering teams globally to manage complex printed circuit board (PCB) designs, component libraries, and team collaboration workflows, has issued patches addressing two critical vulnerabilities.

Tracked as CVE-2026-9129 and CVE-2026-9102, both security flaws carry a severe CVSS base score of 9.4, representing an immediate threat to on-premises development environments. Operating independently within separate core service modules, the bugs give regular authenticated workspace users the power to break completely out of their assigned data boundaries—allowing them to harvest master database credentials or achieve full remote code execution (RCE) on the host server.

The first high-severity vulnerability, tracked as CVE-2026-9129, exposes a severe validation breakdown inside Altium’s design-viewing architecture. Specifically, a path traversal vulnerability exists within the platform’s StorageController component under the Viewer microservice.

When an engineer interacts with the design viewer, the server handles localized file route parameters to fetch relevant layout sheets and fabrication drawings. The breakdown occurs because the backend fails to safely normalize these route parameters.

A regular authenticated user can intentionally supply a URL-encoded absolute path—such as an encoded Windows drive letter or root directory tree—directly inside a Viewer storage API request. When processed, this manipulation triggers a fatal logic error: the application discards the pre-configured storage root path entirely and follows the attacker’s absolute path instead. This allows the user to read arbitrary files directly off the host server’s filesystem.

While the first vulnerability focuses on data exfiltration, the second flaw—tracked as CVE-2026-9102—provides a direct pathway to complete server takeover via arbitrary file writes.

This path traversal bug resides inside Altium’s ComparisonService, the utility responsible for performing diff checks and analyzing modifications between separate design revisions. The security breakdown traces back to a total absence of filename sanitization routines within the platform’s Gerber file upload APIs. Gerber files represent the standard open 2D vector images used by printed circuit board fabrication software to describe physical board layers.

When a regular workspace user uploads a design package for comparison, the server processes the incoming file metadata. A malicious actor can easily manipulate the multipart Content-Disposition header of the upload request, supplying a crafted filename injected with directory traversal sequences (such as ../).

Because the API fails to clean the string, the file escapes its intended temporary sandbox directory and writes itself to any arbitrary path on the server filesystem. The flaw can be exploited across two major attack paths:

• Remote Code Execution (RCE): By intentionally routing content-controlled scripts or web shells into web-accessible directories, the attacker can trigger those scripts via a browser to achieve interactive shell execution under the context of the service account.
• Service Takeover / Denial of Service (DoS): Alternatively, the traversal can be used to intentionally overwrite core application binaries or system configuration files, instantly knocking the design portal offline or forcing a persistent backdoor into the operational environment.

The combination of CVE-2026-9129 and CVE-2026-9102 means that an internal user can seamlessly chain a local read and write primitive to gain absolute control over an organization’s engineering repository.

Because both vulnerabilities require standard workspace authentication, corporate security teams running on-premises deployments should immediately execute the following proactive measures:

• Deploy Upstream Security Patches: Coordinate an immediate maintenance window to update all on-premises Altium Enterprise Server installations to the latest fixed release baselines provided by the vendor.
• Audit User Scopes and Session Logs: Review active user registries and restrict workspace privileges exclusively to verified personnel. Audit API transaction logs for unusual high-frequency requests hitting the StorageController or ComparisonService endpoints, specifically monitoring for anomalous directory characters or drive letters within the parameters.