Arbitrary File Read and Server-Side Request Forgery in Hyland Alfresco Transformation Service
CVE-2026-26337

8.8HIGH

What is CVE-2026-26337?

The Hyland Alfresco Transformation Service is vulnerable to a path traversal issue that allows unauthenticated attackers to exploit the system. By manipulating the file paths, attackers can achieve arbitrary file read and execute server-side request forgery (SSRF) attacks, potentially exposing sensitive information and allowing unauthorized interaction with the internal network. It is crucial for users to apply the latest security updates to mitigate the risks associated with these vulnerabilities.

Affected Version(s)

Alfresco Community (Transform Core) 0 < 5.3.0

Alfresco Transformation Service (Enterprise) 0 < 4.3.0

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Piotr Bazydlo (@chudyPB) of watchTowr
.