Alfresco Transformation Service allows unauthenticated attackers to access servers

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

Alfresco Transformation Service allows unauthenticated attackers to access servers

CVE-2026-26338

Summary

The Alfresco Transformation Service may allow attackers to trick the system into making unauthorized requests to external servers. This could lead to sensitive data being exposed or compromised. Update the Alfresco Transformation Service to the latest version to address this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
hyland	alfresco_transform_service	<= 4.3	–
hyland	alfresco_transform_core	<= 5.3.0	–
hyland	alfresco_transform_core	5.3.0	–

Original title

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.

Original description

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.

nvd CVSS3.1 9.8

nvd CVSS4.0 6.9

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2... Vendor Advisory
https://www.hyland.com/en/solutions/products/alfresco-platform Product
https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-ssrf Third Party Advisory

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026