CVE-2026-1181 PUBLISHED

Altium 365 Over-Permissive CORS Configuration Allows Credentialed Cross-Origin Workspace Access

Assigner: Altium
Reserved: 19.01.2026 Published: 19.01.2026 Updated: 22.01.2026

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Altium
Product	Altium 365
Versions	Default: affected Version unspecified is affected

References

https://www.altium.com/platform/security-compliance/security-advisories

Problem Types

CWE-942 – Permissive Cross-domain Policy with Untrusted Domains CWE
CWE-284 Improper Access Control CWE

Impacts

CAPEC-122 Privilege Abuse
CAPEC-17 Accessing, Modifying, or Executing Executable Files
CAPEC-233 Privilege Escalation via Trust Boundary Violation