Description
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
Exploits (1)
References (3)
Core 3
Core References
Various Sources vendor-advisory
patch
https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550
Various Sources product
https://www.hyland.com/en/solutions/products/alfresco-platform
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read
Scores
CVSS v3
7.5
EPSS
0.0007
EPSS Percentile
21.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (6)
Hyland/Alfresco Community
< 25.3.0
Hyland/Alfresco Enterprise
23.6.0 - 23.6.1
Hyland/Alfresco Enterprise
25.1.0 - 25.3.0
Hyland/Alfresco Enterprise
7.4.0 - 7.4.2.6
hyland/alfresco_content_services
< 25.3
hyland/alfresco_content_services
7.4.0 - 7.4.2.5
Published
Feb 19, 2026
Tracked Since
Feb 19, 2026