CVE-2026-1181

Published Jan 19, 2026

Last updated 9 days ago

CVSS critical 9.0
API

Overview

Description
Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.
Source
4760f414-e1ae-4ff1-bdad-c7a9c3538b79
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
9
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

4760f414-e1ae-4ff1-bdad-c7a9c3538b79
CWE-284

Social media

Hype score
Not currently trending

Related CVEs

  1. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  2. A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.CVE-2026-25197
  3. GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account.CVE-2026-4312
  4. Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.CVE-2026-4270
  5. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.CVE-2026-28789

References

Sources include official advisories and independent security research.