CVE-2026-9152 Altium CVE debrief

Who should care

Security teams and administrators responsible for Altium 365 cloud deployments, especially organizations that rely on workspace search data for design collaboration, discovery, or governance. SOC and incident response teams should also care because the flaw is unauthenticated and remotely reachable. On-premise Altium Enterprise Server users are reported as not affected.

Technical summary

According to the supplied CVE description and NVD metadata, the issue is a legacy SOAP endpoint in Altium 365 SearchService that exposes search index operations without authentication, session tokens, or identity verification. The weakness aligns with CWE-306 (Missing Authentication for Critical Function) and CWE-639 (Authorization Bypass Through User-Controlled Key). Exploitation requires only network access and a target workspace identifier, and it can cross tenant boundaries. Impact is confined to the search index rather than the underlying vault data, but the attacker can read indexed contents such as component data, project and folder names, and user metadata, and can also inject, modify, or delete search index entries. NVD assigns CVSS 4.0/10.0 CRITICAL with network, no-auth, no-user-interaction characteristics and high confidentiality, integrity, and availability impact.

Defensive priority

Urgent. This is a remotely reachable, unauthenticated, cross-tenant flaw with critical severity and direct impact on data confidentiality and search integrity. Even though the underlying vault is not reported as exposed, the search index itself may contain sensitive workspace metadata and corrupted results can mislead users and workflows.

Recommended defensive actions

• Confirm whether your environment uses Altium 365 cloud services and identify any exposure of the legacy SearchService SOAP endpoint.
• Restrict network access to affected service endpoints where possible and apply vendor guidance from the Altium security advisories page referenced by NVD.
• Review workspace search index integrity for unexpected additions, deletions, or modifications.
• Audit logs for unauthenticated access attempts or abnormal workspace-identifier-based requests.
• Treat affected search-index data as potentially exposed and assess whether any sensitive metadata was indexed.
• If you operate on-premise Altium Enterprise Server, validate applicability separately; the supplied description says it is not affected.
• Follow the vendor advisory and re-check official NVD/CVE records for updates or remediation details.

Evidence notes

The CVE and NVD records both show publication and modification on 2026-05-21. NVD references the Altium security advisories page as the vendor source. The supplied description explicitly states that Altium 365 cloud deployments are affected and on-premise Altium Enterprise Server is not affected. Vendor/product attribution in the provided corpus is not fully consistent, so the Altium/Altium 365 naming should be treated as the best available evidence rather than a fully verified asset inventory mapping.

Official resources