CVE-2026-26336 | THREATINT

Description

Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.

PUBLISHED Reserved 2026-02-13 | Published 2026-02-19 | Updated 2026-02-20 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-863 Incorrect Authorization

Product status

Default status

unaffected

7.4.x (semver) before 7.4.2.6

affected

23.6.x (semver) before 23.6.1

affected

25.1.x (semver) before 25.3.0

affected

Default status

unaffected

Any version before 25.3.0

affected

Credits

Piotr Bazydlo (@chudyPB) of watchTowr finder

References

connect.hyland.com/...rary-file-read-in-alfresco/ba-p/496550 vendor-advisory patch

www.hyland.com/en/solutions/products/alfresco-platform product

www.vulncheck.com/...roper-authorization-arbitrary-file-read third-party-advisory

cve.org (CVE-2026-26336)

nvd.nist.gov (CVE-2026-26336)

Download JSON