CVE-2026-9152— Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction
Possible ATT&CK Techniques 3AI
T1133 · External Remote Services T1190 · Exploit Public-Facing Application T1530 · Data from Cloud StorageAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Altium | Altium 365 | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9152
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction
Source: NVD (National Vulnerability Database)
Vulnerability Description
A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries. Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键功能的认证机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Altium 365 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Altium 365是美国Altium公司的一个产品设计和开发平台。 Altium 365存在访问控制错误漏洞,该漏洞源于缺少身份验证,可能导致未经身份验证的攻击者读取、注入、修改或删除搜索索引条目。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Altium | Altium 365 | - | - |
II. Public POCs for CVE-2026-9152
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9152
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Altium
- CVE-2026-9129
Path Traversal in Altium Enterprise Server Viewer StorageCon - CVE-2026-9102
Path Traversal in Altium Enterprise Server ComparisonService - CVE-2025-27380
HTML Injection Leading to Script Execution in Altium Enterpr - CVE-2025-27379
Stored Cross-Site Scripting in AES BOM Viewer - CVE-2025-27378
SQL Injection in AES Due to Inactive SQL Parsing Configurati
Same weakness: CWE-306
- CVE-2026-9141
Taiko AG1000-01A Rev 7.3/8 Authentication Bypass via Web Int - CVE-2026-20223
Cisco Secure Workload Unauthorized API Access Vulnerability - CVE-2026-8602
Missing authentication for critical function in ScadaBR - CVE-2018-25335
WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload - CVE-2018-25332
GitBucket 4.23.1 Unauthenticated Remote Code Execution
V. Comments for CVE-2026-9152
No comments yet