Description
Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.
Published: 2026-01-19
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Workspace Access via Credentialed Cross-Origin Requests
Action: Apply Patch
AI Analysis

Impact

Altium 365's workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing policy that allows credentialed requests from any Altium‑controlled subdomain, such as forum.live.altium.com. This misconfiguration permits JavaScript running on those origins to call authenticated workspace APIs on behalf of a logged‑in user. The vulnerability is a classic access control flaw (CWE‑284) combined with a CORS misconfiguration (CWE‑942).

Affected Systems

The affected product is Altium 365, including deployments in standard and GovCloud environments. No specific product version numbers are listed; the issue applies to any instance exposing the described workspace endpoints. Subdomains controlled by Altium, like forum.live.altium.com, are implicitly included in the attack surface.

Risk and Exploitability

The CVSS score of 9 indicates high severity, while the EPSS score of less than 1% suggests a low probability of public exploitation at the time of assessment. The vulnerability is not listed in CISA's KEV catalog, implying no current evidence of widespread exploitation. The likely attack vector is cross‑origin JavaScript injection via an allowed subdomain, often chained with existing vulnerabilities in those external applications to read or modify workspace data, perform administrative actions, and sidestep IP allowlisting controls.

Generated by OpenCVE AI on April 18, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Reconfigure the CORS policy to allow credentialed requests only from authorized domains rather than all Altium‑controlled subdomains.
  • Remove or disable any configuration that permits credentialed requests from forum.live.altium.com or other Altium‑controlled subdomains.
  • Enforce IP allowlisting and verify that GovCloud deployments are not bypassed by the same CORS header.
  • Audit and monitor cross‑origin requests for unexpected credentials.
  • As a temporary workaround, block cross‑origin credentialed requests at the application firewall level until a vendor patch is available.

Generated by OpenCVE AI on April 18, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 21 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.
Title Stored Cross-Site Scripting in Altium 365 Forum Leading to Cross-Customer Data Exposure Altium 365 Over-Permissive CORS Configuration Allows Credentialed Cross-Origin Workspace Access
Weaknesses CWE-942

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Altium
Altium altium 365
Vendors & Products Altium
Altium altium 365

Mon, 19 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.
Title Stored Cross-Site Scripting in Altium 365 Forum Leading to Cross-Customer Data Exposure
Weaknesses CWE-284
CWE-79
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Altium Altium 365
cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-01-26T21:20:18.423Z

Reserved: 2026-01-19T11:47:00.514Z

Link: CVE-2026-1181

cve-icon Vulnrichment

Updated: 2026-01-20T21:29:39.992Z

cve-icon NVD

Status : Deferred

Published: 2026-01-19T13:16:20.543

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses