Platform
java
Component
alfresco-transform-core
Opgelost in
4.3.0
5.3.0
CVE-2026-26338 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in Hyland Alfresco Transformation Service. This flaw allows unauthenticated attackers to leverage the document processing functionality to initiate requests to internal or external resources, potentially leading to data exposure or further compromise. The vulnerability affects versions 0.0.0 through 5.3.0, and a patch is available in version 5.3.0.
The SSRF vulnerability in Alfresco Transformation Service poses a significant risk because it allows attackers to bypass security controls and interact with internal systems without authentication. An attacker could potentially scan internal networks for open ports and services, access sensitive data stored on internal servers, or even trigger actions on other systems within the network. Successful exploitation could lead to data breaches, denial of service, or a foothold for further attacks. The lack of authentication required to exploit the vulnerability significantly broadens the attack surface, making it a high-priority concern.
CVE-2026-26338 was publicly disclosed on 2026-02-19. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The CVSS score of 9.8 reflects the critical severity and ease of exploitation. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
Organizations utilizing Alfresco Transformation Service for document processing, particularly those with internal systems accessible from the internet or those using shared hosting environments, are at significant risk. Legacy configurations that allow unrestricted outbound network access are especially vulnerable.
• java / server: Monitor Alfresco Transformation Service logs for unusual outbound requests, particularly those targeting internal IP addresses or sensitive services. Use Java profiling tools to identify suspicious network activity originating from the Transformation Service process.
# Example: Grepping for requests to internal IPs
grep '192\.168\.' /var/log/alfresco/transformation-service.log• generic web: Use a WAF to monitor and block outbound requests from the Alfresco Transformation Service to unexpected or sensitive destinations. Examine access logs for patterns indicative of SSRF attempts. • database (mysql, redis, mongodb, postgresql): While not directly applicable, monitor database connections originating from the Transformation Service for unusual activity.
disclosure
Exploit Status
EPSS
0.11% (29% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-26338 is to upgrade Alfresco Transformation Service to version 5.3.0 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the Transformation Service using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to known sensitive internal resources or external services. Carefully review and restrict the allowed protocols and domains that the Transformation Service can access. After upgrading, confirm the vulnerability is resolved by attempting a request to an internal resource and verifying that it is blocked or handled correctly.
Werk Alfresco Transformation Service bij naar versie 4.3.0 of hoger, of naar versie 5.3.0 of hoger, indien van toepassing. Dit corrigeert de SSRF-vulnerabiliteit door de service toe te staan om verzoeken correct te valideren voordat ze worden verwerkt.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-26338 is a critical SSRF vulnerability in Alfresco Transformation Service allowing unauthenticated attackers to make server-side requests, potentially accessing internal resources. It affects versions 0.0.0 through 5.3.0.
If you are running Alfresco Transformation Service versions 0.0.0 through 5.3.0, you are potentially affected by this vulnerability. Upgrade to version 5.3.0 or later to mitigate the risk.
The recommended fix is to upgrade Alfresco Transformation Service to version 5.3.0 or later. As a temporary workaround, restrict outbound network access using a WAF or proxy server.
As of the current date, there is no public evidence of active exploitation of CVE-2026-26338 in the wild.
Please refer to the official Hyland/Alfresco security advisory for detailed information and updates regarding CVE-2026-26338.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.