CVE-2026-1181 CRITICAL

CVE-2026-1181: Altium 365 Over-Permissive CORS Configuration Allows Credentialed Cross-Origin Workspace Access

Vendor Altium
Product Altium 365
Weakness CWE-942
Published January 19, 2026
Last update January 26, 2026

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.

Key dates

02Disclosure timeline

January 19, 2026 CVE published
January 26, 2026 Record updated