Hyland Connect

This post covers three vulnerabilities affecting the Hyland Alfresco Transformation Service (ATS) and related transformation components. Each issue is remotely exploitable and does not require authentication.

Summary

• CVE-2026-26337 – Absolute path traversal leading to Arbitrary File Read + SSRF
• CVE-2026-26338 – SSRF via document processing functionality
• CVE-2026-26339 – Argument injection leading to Remote Code Execution

CVE-2026-26337: Absolute Path Traversal (Arbitrary File Read + SSRF)

This vulnerability allows unauthenticated attackers to abuse absolute path traversal in transformation flows to achieve both arbitrary file read and server-side request forgery (SSRF).

Impact

• Arbitrary file read (within the reachable scope of the service)
• SSRF (ability to make outbound requests from the transformation service)

Affected Components

This vulnerability affects both:

• Alfresco Transform Service (ATS)
• Alfresco Transform Core / Transform Core AIO

The issue originates in transformation handling logic that exists in the core transformation code. Since ATS packages and executes Transform Core internally, both standalone ATS deployments and Community Transform Core AIO deployments are affected if running vulnerable versions.

How to address it

Upgrade to a fixed version (preferred).

• Enterprise (ATS): upgrade to ATS 4.3.0
• Community (Transform Core AIO): upgrade to Transform Core AIO 5.3.0

CVE-2026-26338: SSRF

This vulnerability allows unauthenticated attackers to trigger SSRF through the document processing functionality.

Impact

• SSRF, which can be used to probe or access internal services that are reachable from the transformation environment

Affected Components

This vulnerability affects:

• Alfresco Transform Service (ATS)

This issue is related to how the transformation service processes and handles external resource requests during document processing. It is exposed through the service layer. Transform Core by itself does not expose a network endpoint and therefore is not independently exploitable in this context without the service layer.

How to address it

Upgrade to a fixed version (preferred).

• Enterprise (ATS): upgrade to ATS 4.3.0
• Community (Transform Core AIO): upgrade to Transform Core AIO 5.3.0

CVE-2026-26339: Argument Injection (RCE)

This vulnerability allows unauthorized access to achieve remote code execution via argument injection in document processing functionality.

Impact

• Remote code execution (RCE)

Affected Components

This vulnerability affects:

• Alfresco Transform Service (ATS)

The issue is caused by improper handling of arguments passed during document processing operations within the service runtime. Exploitation requires the network-exposed service component. Transform Core alone does not expose this execution surface without the ATS service orchestration layer.

How to address it

Upgrade to a fixed version (preferred).

• Enterprise (ATS): upgrade to ATS 4.2.3 (or later)
• Community (Transform Core AIO): upgrade to Transform Core AIO 5.2.4 (or later)

Additional recommendations

• Do not expose transformation endpoints to untrusted networks. Keep ATS and transformation components on internal networks (especially important for SSRF scenarios).
• Use allowlists for outbound destinations where possible, and block access to sensitive internal ranges and metadata endpoints.
• Ensure standard perimeter protections are in place (reverse proxy rules, firewalls, and access controls).

References

• CVE-2026-26337: https://www.cve.org/cverecord?id=CVE-2026-26337
• CVE-2026-26338: https://www.cve.org/cverecord?id=CVE-2026-26338
• CVE-2026-26339: https://www.cve.org/cverecord?id=CVE-2026-26339

Acknowledgment: thanks to Piotr Bazydło (watchTowr) for responsible disclosure.