Skip to main content

Alfresco Transform Service CVE-2026-26337

HIGH
Absolute Path Traversal (CWE-36)
2026-02-19 disclosure@vulncheck.com
8.8
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Unauthenticated network access with low complexity (AV:N/AC:L/PR:N/UI:N); high confidentiality from arbitrary file read, low integrity, and scope change (S:C) because SSRF reaches other systems.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 14, 2026 - 16:53 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 14, 2026 - 16:52 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 16:22 NVD
8.2 (HIGH) 8.8 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:03 vuln.today
CVE Published
Feb 19, 2026 - 18:24 nvd
HIGH 8.2

DescriptionCVE.org

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.

AnalysisAI

Arbitrary file read and server-side request forgery in Hyland Alfresco Transformation Service (and the underlying Alfresco Transform Core, including 5.3.0-alpha1) allow unauthenticated remote attackers to read arbitrary files and coerce the server into making outbound requests via absolute path traversal. Hyland has published a coordinated security advisory (CVE-2026-26337/26338/26339). No public exploit has been identified at time of analysis and the EPSS probability is low (0.12%), but the network-facing, unauthenticated nature makes this a meaningful exposure for internet-reachable transform components.

Technical ContextAI

The Alfresco Transform Service and Alfresco Transform Core are the document/rendition transformation components of the Hyland (formerly Alfresco) content management platform, responsible for converting files between formats (e.g., generating thumbnails, PDF renditions, text extraction). The affected CPEs are cpe:2.3:a:hyland:alfresco_transform_service:*, cpe:2.3:a:hyland:alfresco_transform_core:*, and specifically cpe:2.3:a:hyland:alfresco_transform_core:5.3.0:alpha1. The root cause is CWE-36 (Absolute Path Traversal): the service accepts an attacker-controlled path or URI that is not constrained to an expected directory, allowing an absolute path (or URL) to be supplied directly. Because the same untrusted input can reference both local filesystem paths and remote/network URIs, the flaw manifests as both arbitrary file read (local absolute paths) and SSRF (outbound request to attacker-chosen destinations), consistent with the SSRF and Path Traversal tags.

RemediationAI

Apply the fix per the Hyland coordinated advisory at https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 (covers CVE-2026-26337, -26338, and -26339); an exact fixed version number is not specified in the provided data, so confirm the patched release directly from that advisory and cross-reference https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-absolute-path-traversal-arbitrary-file-read-and-ssrf. Until patched, restrict network access to the Transform Service/Transform Core endpoints so they are reachable only from trusted Alfresco repository hosts rather than general or internet-facing networks (trade-off: none if the transform service is only meant to serve the repository, which is the normal architecture). To blunt the SSRF, apply egress filtering that blocks the transform host from reaching internal metadata endpoints (e.g., cloud metadata IP 169.254.169.254) and internal service ranges (trade-off: may break legitimate remote-source transforms). Do not expose the transform service directly to untrusted clients, and monitor for anomalous file-read paths or outbound requests originating from the transform host.

Share

CVE-2026-26337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy