CVE-2026-26336

Published: Feb 19, 2026Modified: Mar 3, 2026

8.7

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.

Affected (4)

Products: Hyland: Alfresco Content Services

Hyland

1 product

Alfresco Content Services

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hyland Alfresco Content Services	Before 25.3

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Hyland Alfresco Content Services	From 23.1 to 23.6.0
Hyland Alfresco Content Services	From 25.1 to 25.2
Hyland Alfresco Content Services	From 7.4.0 to 7.4.2.5

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550

Source: disclosure@vulncheck.com

Vendor Advisory

https://www.hyland.com/en/solutions/products/alfresco-platform

Source: disclosure@vulncheck.com

Product

https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read

Source: disclosure@vulncheck.com

Third Party Advisory

Timeline

No history available yet.