CVE-2026-9129— Altium Enterprise Server 路径遍历漏洞

Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read

A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem. Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.

N/A

对路径名的限制不恰当(路径遍历)

Altium Enterprise Server 路径遍历漏洞

Altium Enterprise Server是美国Altium公司的一款本地化数据管理服务器。 Altium Enterprise Server存在路径遍历漏洞，该漏洞源于文件路径路由参数处理不当，可能导致经过身份验证的用户通过URL编码的绝对路径读取服务器文件系统任意文件。

N/A

N/A