Alfresco Transformation Service lets attackers read any file on the server

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

Alfresco Transformation Service lets attackers read any file on the server

CVE-2026-26337

Summary

The Alfresco Transformation Service has a security issue that allows anyone to read any file on the server without needing a password. This is a security risk because sensitive information could be accessed and used for malicious purposes. To fix this, update to the latest version of the Alfresco Transformation Service.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
hyland	alfresco_transform_service	<= 4.3	–
hyland	alfresco_transform_core	<= 5.3.0	–
hyland	alfresco_transform_core	5.3.0	–

Original title

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.

Original description

Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.

nvd CVSS3.1 8.2

nvd CVSS4.0 8.8

Vulnerability type

CWE-36

https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2... Vendor Advisory
https://www.hyland.com/en/solutions/products/alfresco-platform Product
https://www.vulncheck.com/advisories/hyland-alfresco-transformation-service-abso... Third Party Advisory

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026