The CVE record is available at: https://www.cve.org/cverecord?id=CVE-2026-26336 .
Summary
- Impact: Arbitrary File Read
- Authentication required: No
- Severity: High (CVSS 3.1: 7.5)
What is the vulnerability?
Using crafted HTTP requests, an attacker can read certain application files located within the Share web application directory. No authentication is required to exploit this issue.
The vulnerability is limited to files within the Share web application directory and does not permit arbitrary filesystem access beyond that scope.
Affected versions
Enterprise (Alfresco Content Services)
- 7.4.x through 7.4.2.5
- 23.1 through 23.6.0
- 25.1 through 25.2
Community Edition
- All versions prior to 25.3
Fixed versions
Enterprise (Alfresco Content Services)
- 7.4.2.6
- 23.6.1
- 25.3 and later
Community Edition
How to address it
Upgrade Share by moving to a fixed release listed above (preferred). Customers should apply the appropriate hotfix or upgrade as soon as possible.
Additional recommendations:
- Do not expose Share endpoints unnecessarily to untrusted networks.
- Ensure standard network protections are in place (reverse proxy rules, firewall controls, restricted access).
References
Acknowledgment: Thanks to Piotr Bazydło (watchTowr) for responsible disclosure.
