Platform
java
Component
alfresco-transform-core
Fixed in
4.3.0
5.3.0
CVE-2026-26338 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in Hyland Alfresco Transformation Service. This flaw allows unauthenticated attackers to leverage the document processing functionality to initiate requests to internal or external resources, potentially leading to data exposure or further compromise. The vulnerability affects versions 0.0.0 through 5.3.0, and a patch is available in version 5.3.0.
The SSRF vulnerability in Alfresco Transformation Service poses a significant risk because it allows attackers to bypass security controls and interact with internal systems without authentication. An attacker could potentially scan internal networks for open ports and services, access sensitive data stored on internal servers, or even trigger actions on other systems within the network. Successful exploitation could lead to data breaches, denial of service, or a foothold for further attacks. The lack of authentication required to exploit the vulnerability significantly broadens the attack surface, making it a high-priority concern.
CVE-2026-26338 was publicly disclosed on 2026-02-19. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The CVSS score of 9.8 reflects the critical severity and ease of exploitation. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26338 is to upgrade Alfresco Transformation Service to version 5.3.0 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the Transformation Service using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to known sensitive internal resources or external services. Carefully review and restrict the allowed protocols and domains that the Transformation Service can access. After upgrading, confirm the vulnerability is resolved by attempting a request to an internal resource and verifying that it is blocked or handled correctly.
Update Alfresco Transformation Service to version 4.3.0 or later, or to version 5.3.0 or later, as appropriate. This corrects the SSRF vulnerability by allowing the service to properly validate requests before processing them.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26338 is a critical SSRF vulnerability in Alfresco Transformation Service allowing unauthenticated attackers to make server-side requests, potentially accessing internal resources. It affects versions 0.0.0 through 5.3.0.
If you are running Alfresco Transformation Service versions 0.0.0 through 5.3.0, you are potentially affected by this vulnerability. Upgrade to version 5.3.0 or later to mitigate the risk.
The recommended fix is to upgrade Alfresco Transformation Service to version 5.3.0 or later. As a temporary workaround, restrict outbound network access using a WAF or proxy server.
As of the current date, there is no public evidence of active exploitation of CVE-2026-26338 in the wild.
Please refer to the official Hyland/Alfresco security advisory for detailed information and updates regarding CVE-2026-26338.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.