CVE-2026-9129— Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Altium | Altium Enterprise Server | < 8.0.4 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9129
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read
Source: NVD (National Vulnerability Database)
Vulnerability Description
A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem. Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Altium Enterprise Server 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Altium Enterprise Server是美国Altium公司的一款本地化数据管理服务器。 Altium Enterprise Server存在路径遍历漏洞,该漏洞源于文件路径路由参数处理不当,可能导致经过身份验证的用户通过URL编码的绝对路径读取服务器文件系统任意文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Altium | Altium Enterprise Server | 0 ~ 8.0.4 | - |
II. Public POCs for CVE-2026-9129
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9129
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Altium
- CVE-2026-9152
Unauthenticated SOAP Endpoint in Altium 365 SearchService Al - CVE-2026-9102
Path Traversal in Altium Enterprise Server ComparisonService - CVE-2025-27380
HTML Injection Leading to Script Execution in Altium Enterpr - CVE-2025-27379
Stored Cross-Site Scripting in AES BOM Viewer - CVE-2025-27378
SQL Injection in AES Due to Inactive SQL Parsing Configurati
V. Comments for CVE-2026-9129
No comments yet