Description
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.

When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
Published: 2026-01-15
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the Altium Enterprise Server Workflow Engine caused by missing server‑side sanitization of workflow form submissions. An authenticated user can inject arbitrary JavaScript into workflow data that is later rendered when an administrator opens the workflow. The injected script runs in the administrator’s browser context, enabling the attacker to create new administrator accounts, steal session tokens, and perform any administrative action. This vulnerability is a direct privilege escalation mechanism rooted in a client‑side scripting weakness (CWE-79) that yields complete control over privileged accounts (CWE-269).

Affected Systems

Altium Enterprise Server version 8.0.1 is impacted. No other affected versions were specified in the advisory.

Risk and Exploitability

The baseline CVSS score of 8.0 indicates high impact, while the EPSS score of less than 1% suggests that exploit activity is currently very rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack path requires an authenticated non‑administrator to submit malicious workflow data and a separate step where an administrator opens the compromised workflow. Once the administrator views the data, the payload executes immediately in the admin’s browser session. Because the vulnerability depends on an additional privileged user action, the overall exploitation feasibility is moderate, but the resulting impact is severe.

Generated by OpenCVE AI on April 18, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of Altium Enterprise Server that contains the official patch for the Workflow Engine XSS flaw.
  • If an immediate patch is unavailable, implement server‑side validation that rejects or escapes all non‑alphanumeric characters in workflow form fields and enforce a strict content‑security‑policy header to limit script execution.
  • Restrict workflow viewing permissions to only necessary administrators and audit new administrator account creation logs for suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Altium on-prem Enterprise Server
CPEs cpe:2.3:a:altium:on-prem_enterprise_server:8.0.1:*:*:*:*:*:*:*
Vendors & Products Altium on-prem Enterprise Server

Fri, 16 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Title Stored Cross-Site Scripting in Altium Workflow Engine Allows Privilege Escalation Stored Cross-Site Scripting in Altium Enterprise Server Workflow Engine Allows Privilege Escalation

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Altium
Altium altium 365
Vendors & Products Altium
Altium altium 365

Thu, 15 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
Title Stored Cross-Site Scripting in Altium Workflow Engine Allows Privilege Escalation
Weaknesses CWE-269
CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Altium Altium 365 On-prem Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-02-05T22:07:23.193Z

Reserved: 2026-01-15T22:08:47.337Z

Link: CVE-2026-1010

cve-icon Vulnrichment

Updated: 2026-01-16T17:05:28.562Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T23:15:51.323

Modified: 2026-01-23T19:31:41.887

Link: CVE-2026-1010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses