CVE-2026-26337: Hyland Alfresco Transformation Service Absolute Path Traversal Arbitrary File Read and SSRF
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.
Security readout for executives and security teams
Plain-English summary
This vulnerability could let an unauthenticated attacker make Alfresco’s transformation component read files from the server or send requests from that server to other systems. The business risk is sensitive file exposure and internal network reachability through a trusted application component.
Executive priority
Treat as high priority for any exposed Alfresco transformation deployment. Prioritize confirmation, vendor patch review, and exposure reduction because the flaw can expose server-side files without authentication.
Technical view
CVE-2026-26337 is an absolute path traversal flaw in Hyland Alfresco Transformation Service, mapped to CWE-36. The provided record describes unauthenticated network exploitation with arbitrary file read and SSRF impact. CVSS 4.0 is 8.8 high, with high confidentiality impact and low attack complexity.
Likely exposure
Exposure appears limited to environments using Hyland Alfresco Transformation Service Enterprise or Alfresco Community Transform Core. The bundle does not provide clear affected version ranges beyond placeholder version data, so teams should confirm applicability directly against Hyland guidance.
Exploitation context
The source bundle does not show CISA KEV listing or cited evidence of active exploitation. The risk remains significant because the flaw is unauthenticated, network-reachable, and affects confidentiality through arbitrary file read and SSRF.
Researcher notes
The public bundle identifies the weakness class, impact, CVSS vector, and affected product families, but not precise vulnerable or fixed versions. Avoid assuming exploitation in the wild. Validation should focus on asset presence, exposure, logs, and vendor-confirmed patch status.
Mitigation direction
Review Hyland’s advisory for patched versions and upgrade instructions.
Restrict external access to Alfresco transformation services where business requirements allow.
Apply network egress controls from transformation service hosts.
Monitor Hyland and CVE Program updates for corrected affected-version details.
Validation and detection
Inventory Alfresco Transformation Service and Community Transform Core deployments.
Compare installed versions and topology against Hyland’s advisory.
Check whether transformation endpoints are reachable without authentication.
Review logs for abnormal file path errors or unexpected outbound requests.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-36: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references SSRF or metadata access, so cloud discovery and credential material review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-36 · source CWE mapping
Absolute Path Traversal
Absolute Path Traversal represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.