Description
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.
Published: 2026-02-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

Hyland Alfresco Transformation Service enables an unauthenticated attacker to perform server‑side request forgery through its document processing functionality. By manipulating the request, the attacker can instruct the service to fetch arbitrary URLs, potentially accessing sensitive internal resources, external services, or performing reconnaissance on the internal network. This flaw enables the attacker to breach confidentiality, disrupt services, or further pivot within the environment.

Affected Systems

The vulnerability afflicts Hyland Alfresco Community (Transform Core) and Hyland Alfresco Transformation Service (Enterprise). No specific version is enumerated; the flaw applies to all released instances of the affected components.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high severity, yet the Exploit Prediction Scoring System rate is below 1%, implying a low current probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be remote network‑based, leveraging unauthenticated HTTP endpoints for triggering SSRF. Without immediate remediation, the flaw presents a tangible risk of internal data leakage and potential service disruption.

Generated by OpenCVE AI on April 16, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied security patch for Hyland Alfresco Transformation Service and Transform Core.
  • Configure network segmentation to restrict outbound traffic from the Transformation Service to only approved destinations, blocking access to sensitive internal IP ranges.
  • Disable or limit unauthenticated access to document processing endpoints, ensuring only authorized users can invoke the service.

Generated by OpenCVE AI on April 16, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Hyland alfresco Transform Core
Hyland alfresco Transform Service
CPEs cpe:2.3:a:hyland:alfresco_transformation_service:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hyland:transform_core_aio:*:*:*:*:community:*:*:*		 cpe:2.3:a:hyland:alfresco_transform_core:*:*:*:*:*:*:*:*
cpe:2.3:a:hyland:alfresco_transform_core:5.3.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:hyland:alfresco_transform_service:*:*:*:*:*:*:*:*
Vendors & Products Hyland transform Core Aio
Hyland alfresco Transform Core
Hyland alfresco Transform Service

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Hyland transform Core Aio
CPEs cpe:2.3:a:hyland:alfresco_transformation_service:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hyland:transform_core_aio:*:*:*:*:community:*:*:*
Vendors & Products Hyland transform Core Aio

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
References

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hyland
Hyland alfresco Community
Hyland alfresco Transformation Service
Vendors & Products Hyland
Hyland alfresco Community
Hyland alfresco Transformation Service

Thu, 19 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.
Title Hyland Alfresco Transformation Service SSRF
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hyland Alfresco Community Alfresco Transform Core Alfresco Transform Service Alfresco Transformation Service
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-02T14:49:40.980Z

Reserved: 2026-02-13T17:28:43.053Z

Link: CVE-2026-26338

cve-icon Vulnrichment

Updated: 2026-02-20T19:10:51.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T18:24:59.930

Modified: 2026-03-02T22:03:53.847

Link: CVE-2026-26338

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses