CVE-2026-9152

Vulnerability

A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. Affected versions include all Altium 365 cloud deployments; on-premise Altium Enterprise Server is not affected. An attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries [1].

Exploitation

An unauthenticated network attacker can exploit this vulnerability by sending SOAP requests to the vulnerable endpoint. The attacker must know a valid workspace identifier (which may be guessable or obtainable through other means). No authentication or user interaction is required. The attacker can then read, inject, modify, or delete search index entries by crafting appropriate requests [1].

Impact

Successful exploitation allows the attacker to read a workspace's indexed contents, including component data, project and folder names, and user metadata, leading to information disclosure. Additionally, the attacker can inject, modify, or delete search index entries, compromising the integrity and availability of search results. These operations affect the search index only, not the underlying vault data, but can still disclose sensitive information and degrade the user experience [1].

Mitigation

As of the publication date, Altium has not publicly disclosed a fixed version for this vulnerability in the available references. Affected deployments should monitor the Altium security advisories page [1] for updates. Network segmentation and restricting access to the SOAP endpoint may serve as temporary workarounds until a patch is released.