CVE-2026-26336

Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550	Vendor Advisory
https://www.hyland.com/en/solutions/products/alfresco-platform	Product
https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hyland:alfresco_content_services:*:*:*:*:community:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:hyland:alfresco_content_services:::::enterprise:::*
	cpe:2.3:a:hyland:alfresco_content_services:::::enterprise:::*
	cpe:2.3:a:hyland:alfresco_content_services:::::enterprise:::*

History

03 Mar 2026, 16:37

Type	Values Removed	Values Added
CPE		cpe:2.3:a:hyland:alfresco_content_services:::::community:::* cpe:2.3:a:hyland:alfresco_content_services:::::enterprise:::*
Summary		(es) Hyland Alfresco permite a atacantes no autenticados leer archivos arbitrarios de directorios protegidos (como WEB-INF) a través del endpoint '/share/page/resource/', lo que lleva a la divulgación de archivos de configuración sensibles.
References	~~() https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550 -~~	() https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550 - Vendor Advisory
References	~~() https://www.hyland.com/en/solutions/products/alfresco-platform -~~	() https://www.hyland.com/en/solutions/products/alfresco-platform - Product
References	~~() https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read -~~	() https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read - Third Party Advisory
First Time		Hyland Hyland alfresco Content Services

20 Feb 2026, 15:20

Type	Values Removed	Values Added
References		() https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550 -

19 Feb 2026, 17:24

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-19 17:24

Updated : 2026-03-03 16:37

NVD link : CVE-2026-26336

Mitre link : CVE-2026-26336

CVE.ORG link : CVE-2026-26336

JSON object : View

Products Affected

hyland

alfresco_content_services

CWE

CWE-863

Incorrect Authorization

7.5 /10