CVE-2026-14439
Last modified
CVE-2026-14439 is a critical-severity vulnerability rated 9.4/10 on the CVSS scale. A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area. This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. EPSS estimates a 0.60% chance of exploitation in the next 30 days.
Description
A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area. This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1. The issue has been remediated across Altium 365 shared multi-tenant deployments at the service level; remediation is in progress on remaining Altium 365 deployments.
Metrics
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| Altium | Altium Enterprise Server | < 8.1.1 |
| Altium | Altium 365 | All versions |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14439?
How severe is CVE-2026-14439?
How do I fix CVE-2026-14439?
Related CVEs from 2026
- CVE-2026-14428Insufficient validation of untrusted input in Dawn in Google…8.3
- CVE-2026-14429Insufficient validation of untrusted input in Skia in Google…8.3
- CVE-2026-1443A flaw has been found in code-projects Online Music Site 1.0…9.8
- CVE-2026-14430Integer overflow in V8 in Google Chrome prior to 150.0.7871.…8.8
- CVE-2026-14431Type Confusion in V8 in Google Chrome prior to 150.0.7871.46…8.8
- CVE-2026-14432Use after free in V8 in Google Chrome prior to 150.0.7871.46…8.8
- CVE-2026-1444A vulnerability has been found in iJason-Liu Books_Manager u…2.4
- CVE-2026-14440Description: To issue and renew TLS certificates on beha…7.6
- CVE-2026-14449u5CMS through v12.8.8 is vulnerable to reflected XSS via the…6.4
- CVE-2026-1445A vulnerability was found in iJason-Liu Books_Manager up to …4.7
- CVE-2026-14454Imager versions before 1.033 for Perl treat unsigned EXIF IF…9.8
- CVE-2026-14459Improper neutralization of argument delimiters in a command …8.8
Are you affected by CVE-2026-14439?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
