Platform
java
Component
alfresco-transform-core
Fixed in
4.2.3
5.2.4
CVE-2026-26339 describes a critical Remote Code Execution (RCE) vulnerability within the Hyland Alfresco Transformation Service. This flaw allows unauthenticated attackers to inject arguments and execute arbitrary code through the document processing functionality. The vulnerability impacts versions 0.0 through 5.2.4 of the service. A fix is available in version 5.2.4.
The impact of CVE-2026-26339 is severe. Successful exploitation allows an attacker to gain complete control over the affected Alfresco Transformation Service instance. This could lead to data breaches, system compromise, and potential lateral movement within the network. An unauthenticated attacker can trigger this vulnerability, meaning no prior authentication is required, significantly broadening the attack surface. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, modifying system configurations, and stealing sensitive data. This vulnerability shares similarities with other argument injection flaws where improper input validation allows attackers to manipulate program behavior.
CVE-2026-26339 was publicly disclosed on 2026-02-19. The CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. As of the disclosure date, no public proof-of-concept (POC) code has been released, but the ease of exploitation suggested by the description raises concerns about potential rapid exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.24% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26339 is to upgrade to version 5.2.4 of the Alfresco Transformation Service. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the document processing functionality to trusted users and networks. Implement strict input validation on all user-supplied data to prevent argument injection. Monitor system logs for suspicious activity related to document processing. While a WAF or proxy may offer some protection, it is unlikely to be sufficient on its own given the nature of the vulnerability. After upgrading, confirm the fix by attempting to trigger the document processing functionality with malicious input and verifying that the system behaves as expected.
Update Alfresco Transformation Service to version 4.2.3 or later, or to version 5.2.4 or later, as appropriate for your product branch. This corrects the argument injection vulnerability that allows remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26339 is a critical Remote Code Execution vulnerability in Alfresco Transformation Service allowing unauthenticated attackers to execute code through argument injection in document processing.
If you are running Alfresco Transformation Service versions 0.0 through 5.2.4, you are potentially affected by this vulnerability.
Upgrade to version 5.2.4 of Alfresco Transformation Service to remediate the vulnerability. Implement temporary workarounds if immediate upgrade is not possible.
While no public exploits are currently known, the high CVSS score and ease of exploitation suggest a potential for active exploitation.
Refer to the official Hyland Alfresco security advisory for detailed information and updates regarding CVE-2026-26339.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.