CVE-2026-4345 Overview
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Autodesk Fusion desktop application. A maliciously crafted HTML payload, stored in a design name and subsequently exported to CSV, can trigger the XSS condition. This vulnerability allows a malicious actor to read local files or execute arbitrary code in the context of the current process, making it a significant security concern for organizations utilizing Autodesk Fusion for design work.
Critical Impact
Successful exploitation enables attackers to read local files and execute arbitrary code within the application's process context, potentially compromising sensitive design data and system integrity.
Affected Products
- Autodesk Fusion Desktop Application (Windows)
- Autodesk Fusion Desktop Application (macOS)
Discovery Timeline
- April 14, 2026 - CVE-2026-4345 published to NVD
- April 14, 2026 - Last updated in NVD database
Technical Details for CVE-2026-4345
Vulnerability Analysis
This vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs due to insufficient input sanitization in the design name field when exporting data to CSV format. The Autodesk Fusion desktop application fails to properly sanitize HTML content embedded within design names before processing them during the CSV export operation. When a user creates or imports a design with a maliciously crafted name containing HTML/JavaScript payload and then exports the project data to CSV, the application renders the malicious content without proper escaping, leading to script execution.
The local attack vector requires user interaction to trigger—specifically, the victim must export a project containing the malicious design name to CSV format. Once triggered, the attacker gains the ability to execute code with the same privileges as the Fusion application process, which may include access to local files and system resources.
Root Cause
The root cause lies in improper neutralization of user-supplied input during the CSV export functionality. The application stores design names without adequate validation, and when these names are processed during export operations, embedded HTML and JavaScript content is interpreted rather than escaped. This creates a persistent XSS condition where the malicious payload remains stored in the project file and triggers whenever the affected design is exported.
Attack Vector
The attack follows a local exploitation path requiring user interaction:
- An attacker crafts a design file with a malicious HTML/JavaScript payload embedded in the design name field
- The victim opens or imports this design into their Autodesk Fusion application
- When the victim exports the project data to CSV format, the application processes the design name without proper sanitization
- The embedded script executes in the context of the application process
- The attacker's payload can then read local files or execute additional arbitrary code
The vulnerability requires local access and user interaction (opening the malicious design and performing a CSV export), which limits the attack surface but still poses significant risk when untrusted design files are processed.
Detection Methods for CVE-2026-4345
Indicators of Compromise
- Autodesk Fusion design files (.f3d, .f3z) containing HTML tags or JavaScript in design name metadata
- Unusual script execution originating from the Autodesk Fusion process
- Unexpected file access patterns from the Fusion application, particularly reads of sensitive local files
- CSV export files containing unescaped HTML or script content
Detection Strategies
- Monitor Autodesk Fusion process behavior for unexpected child processes or script interpreters
- Implement file integrity monitoring on systems where Fusion is installed to detect unauthorized file access
- Scan imported design files for suspicious strings in metadata fields before opening
- Review CSV export outputs for evidence of injected HTML or JavaScript content
Monitoring Recommendations
- Enable detailed logging for file operations performed by the Autodesk Fusion application
- Configure endpoint detection to alert on unusual process spawning from Fusion
- Establish baseline behavior for the Fusion application and alert on deviations
- Monitor network connections initiated by the Fusion process for potential data exfiltration
How to Mitigate CVE-2026-4345
Immediate Actions Required
- Update Autodesk Fusion to the latest version as referenced in Autodesk Security Advisory SA-2026-0005
- Avoid opening design files from untrusted sources until patches are applied
- Restrict CSV export functionality in environments processing third-party design files
- Implement application whitelisting to prevent unauthorized code execution from the Fusion process
Patch Information
Autodesk has released updated versions of Fusion to address this vulnerability. Users should download and install the latest version from the official Autodesk channels:
For complete details on the security update, refer to Autodesk Security Advisory SA-2026-0005.
Workarounds
- Implement strict file origin policies requiring design files to come only from trusted, verified sources
- Sanitize design file metadata using third-party tools before importing into Fusion
- Disable or restrict CSV export functionality through organizational policy until the patch is applied
- Run Autodesk Fusion in a sandboxed environment to limit the impact of potential exploitation
# Verify Autodesk Fusion version on Windows (run in PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Autodesk\Fusion*" | Select-Object DisplayName, DisplayVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
