CVE-2026-26339

CriticalPublic PoC

Published: 19 February 2026

Published

19 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 47.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26339 is a critical-severity SSRF (CWE-918) vulnerability in Hyland Alfresco Transform Service. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through vendor security updates that directly patch the argument injection vulnerability in document processing.

SI-10 Information Input Validation good match

prevent

Mandates validation of all inputs to the document processing functionality to block malicious argument injection leading to RCE.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protections to monitor and control unauthenticated remote network access to the vulnerable transformation service.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated argument injection in public-facing Hyland Alfresco Transformation Service enables remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code execution through the argument injection vulnerability, which exists in the document processing functionality.

Deeper analysisAI

CVE-2026-26339 is an argument injection vulnerability in the Hyland Alfresco Transformation Service, specifically within its document processing functionality. This flaw allows unauthenticated attackers to achieve remote code execution (RCE). The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and potential for high confidentiality, integrity, and availability impacts. It is associated with CWE-918.

Unauthenticated remote attackers can exploit this vulnerability over the network without privileges or user interaction. By injecting malicious arguments into the document processing pipeline, attackers gain the ability to execute arbitrary code on the affected system, potentially leading to full server compromise.

Advisories from Hyland and VulnCheck detail mitigations, including security updates referenced at https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 and https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-argument-injection-rce. Additional context on the affected Alfresco Platform is available at https://www.hyland.com/en/solutions/products/alfresco-platform. Security practitioners should consult these for patch deployment and workaround guidance.