CVE-2026-11424
Published: 05 June 2026
Summary
CVE-2026-11424 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Altium Enterprise Server (inferred from references). Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1552.005); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-34917
Vulnerability details
A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to…
more
issue an outbound HTTP GET request without URL validation or destination filtering. The response body is then returned to the user. This allows an authenticated attacker to reach internal services and metadata endpoints that would not otherwise be accessible from the public network, and to retrieve their contents. The impact is information disclosure and internal infrastructure reconnaissance; the request primitive is limited to HTTP GET with no custom headers. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF enables direct access to internal metadata APIs and network reconnaissance endpoints, facilitating the listed discovery techniques.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts to access or extract sensitive data, revealing exposure of sensitive information to unauthorized actors.
Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.
Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.
Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.
By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.
Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.