Remote Code Execution Vulnerability in Hyland Alfresco Transformation Service
CVE-2026-26339

9.3CRITICAL

What is CVE-2026-26339?

The Hyland Alfresco Transformation Service is susceptible to an argument injection vulnerability that enables unauthenticated attackers to execute arbitrary code remotely. This security flaw is associated with the document processing capabilities of the service, potentially allowing malicious entities to exploit the system without needing valid credentials. It is crucial for organizations utilizing this service to implement the necessary patches and updates to safeguard their applications against these threats.

Affected Version(s)

Alfresco Community (Transform Core) 0 < 5.2.4

Alfresco Transformation Service (Enterprise) 0 < 4.2.3

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Piotr Bazydlo (@chudyPB) of watchTowr
.