CVE-2026-9152
Published: 21 May 2026
Summary
CVE-2026-9152 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Altium Enterprise Server (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31205
Vulnerability details
A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier…
more
can interact with that workspace's search index, crossing tenant boundaries. Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on a public-facing legacy SOAP endpoint directly enables remote exploitation to access and manipulate tenant search indexes.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.