ctipilot.ch

Home · Briefs · CTI Daily Brief — 2026-07-02

CVE-2026-14439 — Altium Enterprise Server / Altium 365: authenticated path-traversal to RCE [SINGLE-SOURCE]

From CTI Daily Brief — 2026-07-02 · published 2026-07-02

A CWE-22 path-traversal flaw (CVSS 9.4) in the Git Service component shared by Altium Enterprise Server and the Altium 365 SaaS platform (electronics CAD / PCB-design collaboration) lets an authenticated user with only basic git access chain a sequence of post-clone file-manipulation operations that accept user-supplied paths without validation, moving arbitrary files outside the intended repository. Because moved files can land in locations later executed by the Git Service, the primitive escalates to remote code execution under the Git Service account; on multi-tenant Altium 365 the flaw could expose data belonging to other tenants sharing the same node (GitHub Security Advisory GHSA-m97g-7h77-r5pr, 2026-07-02). Altium Enterprise Server is fixed in 8.1.1; Altium 365's shared multi-tenant deployments were remediated at the service level, with remaining deployments in progress. No exploitation reported. The low privilege bar plus cross-tenant SaaS exposure make this notable for CH/EU manufacturing and defence-industrial-base engineering firms; multi-tenant customers should confirm with Altium that their specific node received the service-level fix rather than assuming blanket coverage.