Alfresco Transform Service
CVE-2026-26337
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network access with low complexity (AV:N/AC:L/PR:N/UI:N); high confidentiality from arbitrary file read, low integrity, and scope change (S:C) because SSRF reaches other systems.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.
AnalysisAI
Arbitrary file read and server-side request forgery in Hyland Alfresco Transformation Service (and the underlying Alfresco Transform Core, including 5.3.0-alpha1) allow unauthenticated remote attackers to read arbitrary files and coerce the server into making outbound requests via absolute path traversal. Hyland has published a coordinated security advisory (CVE-2026-26337/26338/26339). No public exploit has been identified at time of analysis and the EPSS probability is low (0.12%), but the network-facing, unauthenticated nature makes this a meaningful exposure for internet-reachable transform components.
Technical ContextAI
The Alfresco Transform Service and Alfresco Transform Core are the document/rendition transformation components of the Hyland (formerly Alfresco) content management platform, responsible for converting files between formats (e.g., generating thumbnails, PDF renditions, text extraction). The affected CPEs are cpe:2.3:a:hyland:alfresco_transform_service:*, cpe:2.3:a:hyland:alfresco_transform_core:*, and specifically cpe:2.3:a:hyland:alfresco_transform_core:5.3.0:alpha1. The root cause is CWE-36 (Absolute Path Traversal): the service accepts an attacker-controlled path or URI that is not constrained to an expected directory, allowing an absolute path (or URL) to be supplied directly. Because the same untrusted input can reference both local filesystem paths and remote/network URIs, the flaw manifests as both arbitrary file read (local absolute paths) and SSRF (outbound request to attacker-chosen destinations), consistent with the SSRF and Path Traversal tags.
RemediationAI
Apply the fix per the Hyland coordinated advisory at https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 (covers CVE-2026-26337, -26338, and -26339); an exact fixed version number is not specified in the provided data, so confirm the patched release directly from that advisory and cross-reference https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-absolute-path-traversal-arbitrary-file-read-and-ssrf. Until patched, restrict network access to the Transform Service/Transform Core endpoints so they are reachable only from trusted Alfresco repository hosts rather than general or internet-facing networks (trade-off: none if the transform service is only meant to serve the repository, which is the normal architecture). To blunt the SSRF, apply egress filtering that blocks the transform host from reaching internal metadata endpoints (e.g., cloud metadata IP 169.254.169.254) and internal service ranges (trade-off: may break legitimate remote-source transforms). Do not expose the transform service directly to untrusted clients, and monitor for anomalous file-read paths or outbound requests originating from the transform host.
More in Alfresco Transform Core
View allSame weakness CWE-36 – Absolute Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today