Hyland Connect

angelborroy · ‎02-20-2026

The CVE record is available at: https://www.cve.org/cverecord?id=CVE-2026-26336 .

Summary

Impact: Arbitrary File Read
Authentication required: No
Severity: High (CVSS 3.1: 7.5)

What is the vulnerability?

Using crafted HTTP requests, an attacker can read certain application files located within the Share web application directory. No authentication is required to exploit this issue.

The vulnerability is limited to files within the Share web application directory and does not permit arbitrary filesystem access beyond that scope.

Affected versions

Enterprise (Alfresco Content Services)

7.4.x through 7.4.2.5
23.1 through 23.6.0
25.1 through 25.2

Community Edition

All versions prior to 25.3

Fixed versions

Enterprise (Alfresco Content Services)

7.4.2.6
23.6.1
25.3 and later

Community Edition

25.3

How to address it

Upgrade Share by moving to a fixed release listed above (preferred). Customers should apply the appropriate hotfix or upgrade as soon as possible.

Additional recommendations:

Do not expose Share endpoints unnecessarily to untrusted networks.
Ensure standard network protections are in place (reverse proxy rules, firewall controls, restricted access).

References

CVE record: https://www.cve.org/cverecord?id=CVE-2026-26336
Hyland Security Bulletin: Hyland-Security_Bulletin-CVE-2026-26336 (PDF) (use your HylandID)

Acknowledgment: Thanks to Piotr Bazydło (watchTowr) for responsible disclosure.

yuhei · ‎02-23-2026

Hello

Is the version 7.4.1 affected too ? And what about versions prior to 7.4.1?

Thank you

angelborroy · ‎02-24-2026

7.4.1 and previous versions are affected too.