CVE-2026-26338

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-26338
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 Vendor Advisory
https://www.hyland.com/en/solutions/products/alfresco-platform Product
https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-ssrf Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:hyland:alfresco_transform_service:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:hyland:alfresco_transform_core:*:*:*:*:*:*:*:*
cpe:2.3:a:hyland:alfresco_transform_core:5.3.0:alpha1:*:*:*:*:*:*
History

02 Mar 2026, 22:03

Type Values Removed Values Added
First Time Hyland alfresco Transform Service
Hyland alfresco Transform Core
CPE cpe:2.3:a:hyland:alfresco_transformation_service:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hyland:transform_core_aio:*:*:*:*:community:*:*:*		 cpe:2.3:a:hyland:alfresco_transform_core:5.3.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:hyland:alfresco_transform_core:*:*:*:*:*:*:*:*
cpe:2.3:a:hyland:alfresco_transform_service:*:*:*:*:*:*:*:*

02 Mar 2026, 15:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.5 		v2 : unknown
v3 : 9.8

28 Feb 2026, 00:02

Type Values Removed Values Added
First Time Hyland transform Core Aio
Hyland
Hyland alfresco Transformation Service
CPE cpe:2.3:a:hyland:alfresco_transformation_service:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hyland:transform_core_aio:*:*:*:*:community:*:*:*
References () https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 - () https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 - Vendor Advisory
References () https://www.hyland.com/en/solutions/products/alfresco-platform - () https://www.hyland.com/en/solutions/products/alfresco-platform - Product
References () https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-ssrf - () https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-ssrf - Third Party Advisory
Summary
  • (es) Hyland Alfresco Transformation Service permite a atacantes no autenticados lograr falsificación de petición del lado del servidor (SSRF) a través de la funcionalidad de procesamiento de documentos.

20 Feb 2026, 15:20

Type Values Removed Values Added
References
  • () https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551 -

19 Feb 2026, 18:24

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-19 18:24

Updated : 2026-03-02 22:03

NVD link : CVE-2026-26338

Mitre link : CVE-2026-26338

CVE.ORG link : CVE-2026-26338

JSON object : View

Products Affected

hyland

  • alfresco_transform_core
  • alfresco_transform_service
CWE
CWE-918

Server-Side Request Forgery (SSRF)