CVE-2026-1181CRITICAL 9.0EPSS p22.2%

CVE-2026-1181CVE-2026-1181

Description

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 22.2% · 2026-06-18T12:00:27Z
Published2026-01-19
Last modified2026-04-15

Underlying weaknesses· 2

CWE-284CWE-942

References

  1. https://www.altium.com/platform/security-compliance/security-advisories

2

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live
WeaknessPermissive Cross-domain Security Policy with Untrusted Domainscwe-9420%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-11424
CVE
CVE-2026-11431
CVE
CVE-2026-11423
CVE
CVE-2026-11419
CVE
CVE-2026-11429
CVE
CVE-2026-11420
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.