CVE-2026-26336
Published: 19 February 2026
Summary
CVE-2026-26336 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Hyland Alfresco Content Services. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-26336 is an unauthenticated arbitrary file read vulnerability in Hyland Alfresco. The flaw resides in the "/share/page/resource/" endpoint, which permits attackers to access files from protected directories such as WEB-INF, resulting in the disclosure of sensitive configuration files. Published on 2026-02-19, it carries a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-863 (Incorrect Authorization).
Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation allows remote reading of arbitrary files on the affected Alfresco instance, enabling the extraction of confidential configuration data that may reveal credentials, paths, or other system details to facilitate subsequent attacks.
Vendor and third-party advisories provide guidance on mitigation. Hyland's blog details the unauthenticated arbitrary file read issue at https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550, while Vulncheck's advisory at https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read covers improper authorization aspects. Security teams should review these, along with the Alfresco Platform product page at https://www.hyland.com/en/solutions/products/alfresco-platform, for patch availability and remediation instructions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8378
Vulnerability details
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file read on public-facing Alfresco web app directly maps to T1190 for initial access; enables remote collection of local system files (T1005) including config files that may contain credentials (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing unauthenticated arbitrary file reads from protected directories like WEB-INF via the /share/page/resource/ endpoint.
Limits and documents specific actions permitted without identification or authentication, mitigating the unauthenticated access flaw in the vulnerable Alfresco endpoint.
Mandates timely identification, reporting, and correction of the specific improper authorization flaw (CVE-2026-26336), enabling application of vendor-provided patches.