CVE-2026-26339

CriticalPublic PoC

Published: 19 February 2026

Published

19 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 47.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through vendor security updates that directly patch the argument injection vulnerability in document processing.

SI-10 Information Input Validation good match

prevent

Mandates validation of all inputs to the document processing functionality to block malicious argument injection leading to RCE.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protections to monitor and control unauthenticated remote network access to the vulnerable transformation service.

Security SummaryAI

CVE-2026-26339 is an argument injection vulnerability in the Hyland Alfresco Transformation Service, specifically within its document processing functionality. This flaw allows unauthenticated attackers to achieve remote code execution (RCE). The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and potential for high confidentiality, integrity, and availability impacts. It is associated with CWE-918.

Unauthenticated remote attackers can exploit this vulnerability over the network without privileges or user interaction. By injecting malicious arguments into the document processing pipeline, attackers gain the ability to execute arbitrary code on the affected system, potentially leading to full server compromise.

Advisories from Hyland and VulnCheck detail mitigations, including security updates referenced at https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 and https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-argument-injection-rce. Additional context on the affected Alfresco Platform is available at https://www.hyland.com/en/solutions/products/alfresco-platform. Security practitioners should consult these for patch deployment and workaround guidance.

Details

CWE(s): CWE-918

Affected Products

hyland

alfresco transform service

≤ 4.2.3

hyland

alfresco transform core

≤ 5.2.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated argument injection in public-facing Hyland Alfresco Transformation Service enables remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551
Vendor Advisory · disclosure@vulncheck.com
https://www.hyland.com/en/solutions/products/alfresco-platform
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-argument-injection-rce
Third Party Advisory · disclosure@vulncheck.com