Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Hyland Alfresco allows unauthorized access to sensitive configuration files
CVE-2026-26336
Summary
An attacker can access sensitive files in protected directories without logging in. This could lead to the disclosure of confidential configuration settings. Hyland Alfresco users should update to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| hyland | alfresco_content_services | <= 25.3 | – |
| hyland | alfresco_content_services | > 7.4.0 , <= 7.4.2.5 | – |
| hyland | alfresco_content_services | > 23.1 , <= 23.6.0 | – |
| hyland | alfresco_content_services | > 25.1 , <= 25.2 | – |
Original title
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensit...
Original description
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-863
Incorrect Authorization
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026