CVE-2026-26336
Published: 19 February 2026
Summary
CVE-2026-26336 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Hyland Alfresco Content Services. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file read on public-facing Alfresco web app directly maps to T1190 for initial access; enables remote collection of local system files (T1005) including config files that may contain credentials (T1552.001).
NVD Description
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
Deeper analysisAI
CVE-2026-26336 is an unauthenticated arbitrary file read vulnerability in Hyland Alfresco. The flaw resides in the "/share/page/resource/" endpoint, which permits attackers to access files from protected directories such as WEB-INF, resulting in the disclosure of sensitive configuration files. Published on 2026-02-19, it carries a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-863 (Incorrect Authorization).
Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation allows remote reading of arbitrary files on the affected Alfresco instance, enabling the extraction of confidential configuration data that may reveal credentials, paths, or other system details to facilitate subsequent attacks.
Vendor and third-party advisories provide guidance on mitigation. Hyland's blog details the unauthenticated arbitrary file read issue at https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550, while Vulncheck's advisory at https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read covers improper authorization aspects. Security teams should review these, along with the Alfresco Platform product page at https://www.hyland.com/en/solutions/products/alfresco-platform, for patch availability and remediation instructions.
Details
- CWE(s)