CVE-2026-11429
CriticalCVSS 10.0Exploitation Probability (EPSS)
Elevated risk63th percentile — higher than 63% of all known CVEs
Summary
Two endpoints in the Vault Service ScriptsController accept file uploads where a user-supplied filename component is used to construct the destination path without validation. This allows arbitrary files to be written to any location writable by the service account.
Risk Assessment
An unauthenticated network attacker can exploit this vulnerability to place executable content in directories where it is later executed by the service, resulting in remote code execution under the Vault Service account.
Recommendation
It is recommended to upgrade to Altium Enterprise Server version 8.1.1 or use Altium 365, where the issue has been remediated at the service level.
Original NVD description (English source)
Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation, allowing arbitrary files to be written to any location writable by the service account. Because the file write operation completes before authentication is validated, the vulnerability can be exploited without any credentials, session, or prior knowledge of the system. An unauthenticated network attacker can use this primitive to place executable content in directories where it is later executed by the service, resulting in remote code execution under the Vault Service account. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 (commercial and government cloud) at the service level.

