Cyber Resilience

CVE-2026-26337

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26337 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Hyland Alfresco Transform Core. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26337 is an absolute path traversal vulnerability (CWE-36) in the Hyland Alfresco Transformation Service, enabling unauthenticated attackers to perform arbitrary file reads and server-side request forgery (SSRF). The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no required privileges or user interaction. It was published on 2026-02-19.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests that traverse absolute paths on the server. Successful exploitation grants high-impact arbitrary file read access, potentially exposing sensitive configuration files, credentials, or other data, alongside SSRF capabilities that allow attackers to interact with internal services or resources unreachable from the internet.

Vendor and third-party advisories provide further details on mitigation. Hyland's security update at https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 addresses this alongside related CVEs, while the Alfresco Platform product page at https://www.hyland.com/en/solutions/products/alfresco-platform offers context on the affected component. VulnCheck's advisory at https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-absolute-path-traversal-arbitrary-file-read-and-ssrf includes technical analysis. Security practitioners should consult these for patching instructions and workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

T1190 for unauthenticated exploitation of public-facing app; T1083 for path traversal enabling file discovery/reads; T1552.001 for exposing credentials in files; T1046 for SSRF facilitating internal network service discovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26338Same product: Hyland Alfresco Transform Core
CVE-2026-26339Same product: Hyland Alfresco Transform Core
CVE-2026-26336Same vendor: Hyland
CVE-2024-48248Shared CWE-36
CVE-2024-13159Shared CWE-36
CVE-2025-57790Shared CWE-36
CVE-2024-8501Shared CWE-36
CVE-2025-7846Shared CWE-36
CVE-2026-2753Shared CWE-36
CVE-2026-4373Shared CWE-36

Affected Assets

hyland
alfresco transform service
≤ 4.3
hyland
alfresco transform core
5.3.0 · ≤ 5.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates information inputs to block crafted requests exploiting absolute path traversal for arbitrary file reads and SSRF.

prevent

Remediates the specific path traversal flaw in Hyland Alfresco Transformation Service through timely application of vendor security updates.

prevent

Enforces approved authorizations to logical access of files and resources, preventing unauthorized reads via path traversal bypasses.

References