CVE-2026-0535
📋 TL;DR
A stored cross-site scripting vulnerability in Autodesk Fusion allows attackers to inject malicious HTML into component descriptions. When users click the crafted payload, it can execute arbitrary JavaScript in the application context, potentially leading to local file access or code execution. This affects all Autodesk Fusion desktop application users who view or interact with component descriptions.
💻 Affected Systems
- Autodesk Fusion
📦 What is this software?
Fusion by Autodesk
⚠️ Risk & Real-World Impact
Worst Case
Malicious actor gains full control of the user's system through arbitrary code execution, leading to data theft, ransomware deployment, or complete system compromise.
Likely Case
Attackers steal sensitive local files, session tokens, or credentials through JavaScript execution in the application context.
If Mitigated
With proper input validation and output encoding, the payload would be rendered harmless as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires the attacker to have ability to create or modify component descriptions, and a user must click the malicious payload. The stored nature makes this more dangerous than reflected XSS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version specified in Autodesk Security Advisory ADSK-SA-2026-0001
Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001
Restart Required: Yes
Instructions:
1. Open Autodesk Fusion. 2. Go to Help > Check for Updates. 3. Install the latest available update. 4. Restart the application. 5. Verify the version matches the patched version in the security advisory.
🔧 Temporary Workarounds
Disable component description editing
allRestrict user permissions to prevent modification of component descriptions where possible
User awareness training
allTrain users to avoid clicking suspicious links or content in component descriptions
🧯 If You Can't Patch
- Implement network segmentation to isolate Autodesk Fusion systems from critical assets
- Deploy application control solutions to prevent unauthorized code execution from the application
🔍 How to Verify
Check if Vulnerable:
Check if your Autodesk Fusion version is older than the patched version mentioned in ADSK-SA-2026-0001Check Version:
In Autodesk Fusion: Help > About Fusion 360Verify Fix Applied:
Verify the application version matches or exceeds the patched version in the security advisory📡 Detection & Monitoring
Log Indicators:
- Unusual component description modifications
- Multiple failed description update attempts
- Unexpected application crashes after viewing components
Network Indicators:
- Outbound connections from Autodesk Fusion to unexpected domains
- File transfer patterns from local directories
SIEM Query:
process:autodesk* AND (event:file_read OR event:network_connection) AND NOT destination:autodesk.com