CVE-2026-1010 – A stored XSS vulnerability in Altium Workflow E... (How to Fix)

Q: What is the severity of CVE-2026-1010?

CVE-2026-1010 has a CVSS score of 8.0 (HIGH). A stored XSS vulnerability in Altium Workflow Engine allows authenticated users to inject malicious JavaScript into workflow data. When administrators view compromised workflows, the script executes in their browser context, enabling privilege escalation and administrative actions. This affects all Altium users with workflow access.

📋 TL;DR

A stored XSS vulnerability in Altium Workflow Engine allows authenticated users to inject malicious JavaScript into workflow data. When administrators view compromised workflows, the script executes in their browser context, enabling privilege escalation and administrative actions. This affects all Altium users with workflow access.

💻 Affected Systems

Products:

Altium Workflow Engine

Versions: All versions prior to patch

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to workflow submission APIs.

📦 What is this software?

On Prem Enterprise Server by Altium

View all CVEs affecting On Prem Enterprise Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise: attackers create new admin accounts, steal session tokens, execute arbitrary administrative commands, and potentially pivot to other systems.

🟠

Likely Case

Privilege escalation leading to unauthorized administrative access, data theft, and workflow manipulation.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, with admin accounts protected by MFA.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access but uses simple JavaScript injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://www.altium.com/platform/security-compliance/security-advisories

Restart Required: Yes

Instructions:

1. Review vendor advisory for patch version. 2. Backup workflow data. 3. Apply patch from vendor. 4. Restart Altium services. 5. Verify fix implementation.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input sanitization for workflow form submissions

Implement input validation in workflow submission APIs to strip/escape JavaScript tags

Content Security Policy

all

Implement CSP headers to restrict script execution

Add Content-Security-Policy header with script-src directives

🧯 If You Can't Patch

Restrict workflow creation/modification permissions to trusted users only
Implement web application firewall rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Test workflow form submission with XSS payloads like <script>alert('test')</script> and check if script executes when viewed

Check Version:

Check Altium version via admin console or system information panel

Verify Fix Applied:

Attempt same XSS payloads after patch; scripts should be properly sanitized and not execute

📡 Detection & Monitoring

Log Indicators:

Unusual workflow modifications
JavaScript patterns in workflow data submissions
Multiple failed admin login attempts after workflow views

Network Indicators:

HTTP requests with JavaScript payloads in workflow parameters
Unusual outbound connections from admin workstations

SIEM Query:

source="altium_logs" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2026-1010

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.04% exploit probability (9.9th percentile)

Published: January 15, 2026

Last Updated: January 23, 2026

🔗 References

https://www.altium.com/platform/security-compliance/security-advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1010, you might also want to check these: