Skip to main content

Resource Sharing CVE-2026-1181

CRITICAL
Improper Access Control (CWE-284)
2026-01-19 4760f414-e1ae-4ff1-bdad-c7a9c3538b79
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 19, 2026 - 13:16 nvd
CRITICAL 9.0

DescriptionCVE.org

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.

AnalysisAI

Altium 365 workspace endpoints had overly permissive CORS policies that allow unauthorized cross-origin access to workspace data, potentially exposing proprietary PCB designs and engineering data.

Technical ContextAI

Altium 365 workspace API endpoints were configured with CORS policies (CWE-284) that allow arbitrary origins to make authenticated requests, enabling malicious websites to steal session tokens and access workspace data.

Affected ProductsAI

Altium 365 workspace

RemediationAI

Altium has updated CORS policies. Ensure your Altium 365 instance is updated. Use browser extensions that restrict cross-origin requests for sensitive work.

Share

CVE-2026-1181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy