Cyber Resilience

CVE-2026-26336

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26336 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Hyland Alfresco Content Services. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-26336 is an unauthenticated arbitrary file read vulnerability in Hyland Alfresco. The flaw resides in the "/share/page/resource/" endpoint, which permits attackers to access files from protected directories such as WEB-INF, resulting in the disclosure of sensitive configuration files. Published on 2026-02-19, it carries a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-863 (Incorrect Authorization).

Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation allows remote reading of arbitrary files on the affected Alfresco instance, enabling the extraction of confidential configuration data that may reveal credentials, paths, or other system details to facilitate subsequent attacks.

Vendor and third-party advisories provide guidance on mitigation. Hyland's blog details the unauthenticated arbitrary file read issue at https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550, while Vulncheck's advisory at https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read covers improper authorization aspects. Security teams should review these, along with the Alfresco Platform product page at https://www.hyland.com/en/solutions/products/alfresco-platform, for patch availability and remediation instructions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Unauthenticated arbitrary file read on public-facing Alfresco web app directly maps to T1190 for initial access; enables remote collection of local system files (T1005) including config files that may contain credentials (T1552.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26337Same vendor: Hyland
CVE-2026-26338Same vendor: Hyland
CVE-2026-26339Same vendor: Hyland
CVE-2026-28229Shared CWE-863
CVE-2026-42438Shared CWE-863
CVE-2026-22682Shared CWE-863
CVE-2026-40515Shared CWE-863
CVE-2026-24748Shared CWE-863
CVE-2026-32924Shared CWE-863
CVE-2026-23837Shared CWE-863

Affected Assets

hyland
alfresco content services
≤ 25.3 · 7.4.0 — 7.4.2.5 · 23.1 — 23.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated arbitrary file reads from protected directories like WEB-INF via the /share/page/resource/ endpoint.

prevent

Limits and documents specific actions permitted without identification or authentication, mitigating the unauthenticated access flaw in the vulnerable Alfresco endpoint.

prevent

Mandates timely identification, reporting, and correction of the specific improper authorization flaw (CVE-2026-26336), enabling application of vendor-provided patches.

References