CVE-2026-26336
Hyland Alfresco Improper Authorization Arbitrary File Read
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
| CWE | CWE-863 |
| Vendor | hyland |
| Product | alfresco enterprise |
| Published | Feb 19, 2026 |
| Last Updated | Mar 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for hyland alfresco enterprise
Be the first to know when new high vulnerabilities affecting hyland alfresco enterprise are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
Hyland / Alfresco Enterprise
7.4.0 < 7.4.2.6 23.6.0 < 23.6.1 25.1.0 < 25.3.0
Hyland / Alfresco Community
0 < 25.3.0
References
connect.hyland.com: https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550 hyland.com: https://www.hyland.com/en/solutions/products/alfresco-platform vulncheck.com: https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read
Credits
Piotr Bazydlo (@chudyPB) of watchTowr