ctipilot.ch

Altium Enterprise Server / Altium 365 Git Service path-traversal to RCE

cve · CVE-2026-14439 SINGLE-SOURCE

Coverage timeline
1
first 2026-07-02 → last 2026-07-02
Briefs
1
1 distinct
Sources cited
1
1 hosts
Sections touched
1
trending_vulns
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-02CTI Daily Brief — 2026-07-02
    trending_vulnsFirst coverage: authenticated path-traversal to RCE (CVSS 9.4), cross-tenant SaaS exposure; no ITW

Where this entity is cited

  • trending_vulns1

Source distribution

  • github.com1 (100%)

Items in briefs about Altium Enterprise Server / Altium 365 Git Service path-traversal to RCE (1)

CVE-2026-14439 — Altium Enterprise Server / Altium 365: authenticated path-traversal to RCE [SINGLE-SOURCE]

From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →

A CWE-22 path-traversal flaw (CVSS 9.4) in the Git Service component shared by Altium Enterprise Server and the Altium 365 SaaS platform (electronics CAD / PCB-design collaboration) lets an authenticated user with only basic git access chain a sequence of post-clone file-manipulation operations that accept user-supplied paths without validation, moving arbitrary files outside the intended repository. Because moved files can land in locations later executed by the Git Service, the primitive escalates to remote code execution under the Git Service account; on multi-tenant Altium 365 the flaw could expose data belonging to other tenants sharing the same node (GitHub Security Advisory GHSA-m97g-7h77-r5pr, 2026-07-02). Altium Enterprise Server is fixed in 8.1.1; Altium 365's shared multi-tenant deployments were remediated at the service level, with remaining deployments in progress. No exploitation reported. The low privilege bar plus cross-tenant SaaS exposure make this notable for CH/EU manufacturing and defence-industrial-base engineering firms; multi-tenant customers should confirm with Altium that their specific node received the service-level fix rather than assuming blanket coverage.