PT-2026-42360 · Altium · Altium 365
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Altium 365 (affected versions not specified)
Description
A missing authentication issue exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or identity verification. An unauthenticated network attacker with a target workspace identifier can interact with the search index, crossing tenant boundaries. This allows the attacker to read indexed contents, such as component data, project and folder names, and user metadata, as well as inject, modify, or delete search index entries. These actions impact the search index rather than the underlying vault data, potentially disclosing sensitive workspace information and compromising the integrity and availability of search results.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Missing Authentication
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Altium 365