Cyber Resilience

CVE-2026-1181

Critical

Published: 19 January 2026

Published
19 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0031 22.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1181 is a critical-severity Improper Access Control (CWE-284) vulnerability in Altium (inferred from references). Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-1181, published on 2026-01-19, affects Altium 365 workspace endpoints due to an overly permissive Cross-Origin Resource Sharing (CORS) policy. This configuration permitted credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. Consequently, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control) and CWE-942 (Permissive Cross-domain Policy with Untrusted Domains).

Attackers require low privileges (PR:L) and user interaction (UI:R), such as tricking a logged-in user into executing malicious JavaScript on permitted Altium subdomains. When chained with vulnerabilities in those external applications, exploitation allows unauthorized access to workspace data, execution of administrative actions, and circumvention of IP allowlisting controls, even in GovCloud environments. The cross-origin scope expansion (S:C) enables high confidentiality, integrity, and availability impacts.

Mitigation details are available in Altium's security advisory at https://www.altium.com/platform/security-compliance/security-advisories.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in…

more

the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of permissive CORS policy in public-facing Altium 365 web workspace APIs enables cross-origin authenticated access and admin actions from compromised subdomains.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-44277Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-50900Shared CWE-284
CVE-2025-7016Shared CWE-284

Affected Assets

Altium
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for controlling information flows between origins and subdomains, directly preventing credentialed cross-origin requests enabled by permissive CORS policies.

prevent

Mandates secure and restrictive configuration settings for web endpoints, including CORS headers, to block unauthorized access from untrusted Altium subdomains.

prevent

Enforces logical access controls on workspace APIs to limit unauthorized data access and administrative actions even if cross-origin requests occur.

References