Home

Description

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.

PUBLISHED Reserved 2026-01-19 | Published 2026-01-19 | Updated 2026-01-22 | Assigner Altium




CRITICAL: 9.0CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-942 – Permissive Cross-domain Policy with Untrusted Domains

CWE-284 Improper Access Control

Product status

Default status
affected

Any version
affected

References

www.altium.com/...rm/security-compliance/security-advisories

cve.org (CVE-2026-1181)

nvd.nist.gov (CVE-2026-1181)

Download JSON