Description
A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries.




Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.
Published: 2026-05-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a legacy SOAP endpoint in Altium 365 SearchService that accepts requests without any form of authentication, session token, or identity verification. An attacker who can identify a target workspace can retrieve the workspace’s indexed contents—including component data, project and folder names, and user metadata—while also injecting, modifying, or deleting index entries. These actions compromise the confidentiality of indexed information, undermine the integrity of search results, and affect availability of search services, though the underlying vault data remains untouched.

Affected Systems

Altium’s cloud product Altium 365 is impacted. On‑premise Altium Enterprise Server is not affected. No specific version details are supplied, so any cloud deployment of Altium 365 that still exposes the legacy SOAP SearchService is considered vulnerable.

Risk and Exploitability

The CVSS score of 10 classifies the flaw as critical. The EPSS score is not available, so the precise likelihood of exploitation is unknown; however, the vulnerability is actively exploitable over the network without authentication. The flaw is not listed in CISA’s KEV catalog. Attackers only need network connectivity to the SOAP endpoint and the workspace ID, making the attack surface broad and the potential impact severe.

Generated by OpenCVE AI on May 21, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade or patch Altium 365 to a version that removes or secures the legacy SOAP SearchService endpoint. This is the primary official fix.
  • Restrict network access to the SOAP endpoint by configuring firewalls or security groups so that only trusted administrative hosts can reach it. This limits the exposure of the unauthenticated endpoint.
  • Disable the legacy SOAP SearchService entirely if it remains available after the patch, ensuring all request handling requires proper authentication. This removes the authentication bypass that the vulnerability exploits.

Generated by OpenCVE AI on May 21, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Altium
Altium altium 365
Vendors & Products Altium
Altium altium 365

Thu, 21 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries. Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.
Title Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction
Weaknesses CWE-306
CWE-639
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Altium Altium 365
cve-icon MITRE

Status: PUBLISHED

Assigner: Altium

Published:

Updated: 2026-05-21T12:41:39.633Z

Reserved: 2026-05-20T23:26:29.928Z

Link: CVE-2026-9152

cve-icon Vulnrichment

Updated: 2026-05-21T12:41:36.028Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T02:16:33.943

Modified: 2026-05-21T15:24:25.330

Link: CVE-2026-9152

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T02:30:45Z

Weaknesses