Description
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
Published: 2026-02-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Hyland Alfresco possesses an endpoint, "/share/page/resource/", that can be accessed without authentication. By requesting any file path through this endpoint, an attacker can read arbitrary files located in protected directories such as WEB-INF. The resulting exposure of configuration files constitutes a significant breach of confidentiality, potentially enabling further attacks on the system. This weakness is identified as a CWE-863 Improper Authorization error, allowing unauthenticated users to access protected resources.

Affected Systems

The vulnerability affects both the Hyland Alfresco Community and the Hyland Alfresco Enterprise editions. Any deployment of these products that includes the /share/page/resource/ endpoint and exposes configuration directories, particularly WEB-INF, is potentially susceptible. The issue is present across all supported versions of the product family that have this endpoint, as no specific version restrictions are listed.

Risk and Exploitability

The CVSS score of 8.7 indicates a high impact with broad exploitation potential, but the EPSS score of less than 1% suggests that the likelihood of real-world exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog, so no known active exploits have been reported to date. An attacker could exploit it remotely without credentials, though the attack would still require the ability to send HTTP requests to the vulnerable application. The lack of a published patch at this time increases the urgency for customers to monitor for an official fix or implement interim controls.

Generated by OpenCVE AI on April 16, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch or update to the latest Alfresco release that removes or secures the /share/page/resource/ endpoint
  • Configure web server or application firewall rules to block unauthenticated access to the /share/page/resource/ path
  • Verify that configuration files in protected directories (e.g., WEB-INF) are not served by the application and consider moving sensitive data outside web-accessible locations

Generated by OpenCVE AI on April 16, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alfresco:community_share:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:alfresco_enterprise_content_management:*:*:*:*:*:*:*:*
Vendors & Products Alfresco
Alfresco community Share
Atlassian
Atlassian alfresco Enterprise Content Management

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Alfresco
Alfresco community Share
Atlassian
Atlassian alfresco Enterprise Content Management
CPEs cpe:2.3:a:alfresco:community_share:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:alfresco_enterprise_content_management:*:*:*:*:*:*:*:*
Vendors & Products Alfresco
Alfresco community Share
Atlassian
Atlassian alfresco Enterprise Content Management

Tue, 03 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Hyland alfresco Content Services
CPEs cpe:2.3:a:hyland:alfresco_content_services:*:*:*:*:community:*:*:*
cpe:2.3:a:hyland:alfresco_content_services:*:*:*:*:enterprise:*:*:*
Vendors & Products Hyland alfresco Content Services

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
References

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hyland
Hyland alfresco Community
Hyland alfresco Enterprise
Vendors & Products Hyland
Hyland alfresco Community
Hyland alfresco Enterprise

Thu, 19 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
Title Hyland Alfresco Improper Authorization Arbitrary File Read
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hyland Alfresco Community Alfresco Content Services Alfresco Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:46:25.099Z

Reserved: 2026-02-13T17:28:43.052Z

Link: CVE-2026-26336

cve-icon Vulnrichment

Updated: 2026-02-20T19:05:57.220Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T17:24:50.943

Modified: 2026-03-03T16:37:14.833

Link: CVE-2026-26336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses