PT-2026-42360 · Altium · Altium 365

·

CVE-2026-9152

·

Published

2026-05-21

·

Updated

2026-05-21

CVSS v4.0

10

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Altium 365 (affected versions not specified)
Description A missing authentication issue exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or identity verification. An unauthenticated network attacker with a target workspace identifier can interact with the search index, crossing tenant boundaries. This allows the attacker to read indexed contents, such as component data, project and folder names, and user metadata, as well as inject, modify, or delete search index entries. These actions impact the search index rather than the underlying vault data, potentially disclosing sensitive workspace information and compromising the integrity and availability of search results.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Authentication

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9152

Affected Products

Altium 365