Cyber Posture

CVE-2026-26337

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0024 47.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates information inputs to block crafted requests exploiting absolute path traversal for arbitrary file reads and SSRF.

SI-2 Flaw Remediation good match
prevent

Remediates the specific path traversal flaw in Hyland Alfresco Transformation Service through timely application of vendor security updates.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to logical access of files and resources, preventing unauthorized reads via path traversal bypasses.

Security SummaryAI

CVE-2026-26337 is an absolute path traversal vulnerability (CWE-36) in the Hyland Alfresco Transformation Service, enabling unauthenticated attackers to perform arbitrary file reads and server-side request forgery (SSRF). The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no required privileges or user interaction. It was published on 2026-02-19.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests that traverse absolute paths on the server. Successful exploitation grants high-impact arbitrary file read access, potentially exposing sensitive configuration files, credentials, or other data, alongside SSRF capabilities that allow attackers to interact with internal services or resources unreachable from the internet.

Vendor and third-party advisories provide further details on mitigation. Hyland's security update at https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 addresses this alongside related CVEs, while the Alfresco Platform product page at https://www.hyland.com/en/solutions/products/alfresco-platform offers context on the affected component. VulnCheck's advisory at https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-absolute-path-traversal-arbitrary-file-read-and-ssrf includes technical analysis. Security practitioners should consult these for patching instructions and workarounds.

Details

CWE(s)
CWE-36

Affected Products

hyland
alfresco transform service
≤ 4.3
hyland
alfresco transform core
5.3.0 · ≤ 5.3.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
Why these techniques?

T1190 for unauthenticated exploitation of public-facing app; T1083 for path traversal enabling file discovery/reads; T1552.001 for exposing credentials in files; T1046 for SSRF facilitating internal network service discovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References