CVE-2026-26336 is an incorrect authorization vulnerability classified under CWE-863 affecting Hyland Alfresco Enterprise versions 7.4.x, 23.6.x, and 25.1.x. The flaw exists in the "/share/page/resource/" endpoint, which improperly restricts access controls, allowing unauthenticated attackers to read arbitrary files from protected directories such as WEB-INF. These directories typically contain sensitive configuration files, including credentials, internal settings, and deployment information. Exploitation requires no authentication, no user interaction, and can be performed remotely over the network, making it highly accessible to attackers. The vulnerability’s CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) reflects its network attack vector, low attack complexity, and no required privileges or user interaction, with a high impact on confidentiality. Although no exploits have been reported in the wild yet, the exposure of configuration files can lead to further compromise, such as privilege escalation, lateral movement, or data exfiltration. The lack of available patches at the time of reporting necessitates immediate risk mitigation strategies. This vulnerability highlights the critical need for robust access control validation in web application endpoints to prevent unauthorized file disclosure.

The primary impact of CVE-2026-26336 is the unauthorized disclosure of sensitive configuration files from protected directories within Alfresco Enterprise deployments. This exposure can compromise confidentiality by revealing credentials, encryption keys, or internal system configurations that attackers can leverage for further exploitation. Organizations may face increased risk of data breaches, unauthorized access, and potential disruption of services if attackers use disclosed information to escalate privileges or move laterally within networks. The vulnerability affects all users of the specified Alfresco versions, potentially impacting enterprises relying on Alfresco for document management, collaboration, and content services. Given the ease of exploitation and no authentication requirement, attackers globally can target vulnerable systems, increasing the risk of widespread compromise. The absence of known exploits currently limits immediate widespread impact, but the vulnerability’s nature makes it a high-value target for threat actors once exploit code becomes available.

1. Apply official patches or updates from Hyland as soon as they become available to address the authorization flaw in the "/share/page/resource/" endpoint. 2. In the absence of patches, implement strict network-level access controls to restrict access to Alfresco Enterprise management and resource endpoints, limiting exposure to trusted internal networks or VPNs only. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable endpoint, especially those attempting to access protected directories like WEB-INF. 4. Conduct thorough audits of Alfresco server configurations and logs to detect any unauthorized file access attempts. 5. Review and harden file system permissions on the Alfresco server to minimize sensitive file exposure. 6. Educate security teams to monitor for indicators of compromise related to this vulnerability and prepare incident response plans. 7. Consider temporary disabling or restricting access to the vulnerable endpoint if feasible without disrupting business operations. 8. Maintain up-to-date backups and ensure recovery procedures are tested in case of compromise.