CVE-2026-1181

Published Jan 19, 2026

Last updated 2 months ago

CVSS critical 9.0
API

Overview

Description
Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments.
Source
4760f414-e1ae-4ff1-bdad-c7a9c3538b79
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
9
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

4760f414-e1ae-4ff1-bdad-c7a9c3538b79
CWE-284

Social media

Hype score
Not currently trending

Related CVEs

  1. Nx Console Embedded Malicious Code VulnerabilityCVE-2026-48027
  2. Microsoft Defender Denial of Service VulnerabilityCVE-2026-45498
  3. Microsoft Defender Link Following VulnerabilityCVE-2026-41091
  4. Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.CVE-2026-7776
  5. A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.CVE-2026-7738

References

Sources include official advisories and independent security research.