## https://sploitus.com/exploit?id=FAB75912-4983-56E5-8009-190C4D9237A3
# CVE-2026-26336 โ Alfresco Share Unauthenticated File Read
## Overview
Alfresco Share exposes a `/share/page/resource/` endpoint used to serve static resources. In vulnerable versions, this endpoint does not properly restrict path traversal, allowing an unauthenticated attacker to read arbitrary files within the Share webapp (and potentially sibling webapps deployed in the same Tomcat instance).
## Affected Versions
- Alfresco Community Edition < 25.3.0 (direct traversal)
- Alfresco Community Edition 25.3.0 (patch bypass via `..;/`)
## Impact
An unauthenticated attacker can read any file within the deployed webapp:
- `WEB-INF/web.xml` โ servlet configuration, filter chains, security constraints
- `WEB-INF/classes/alfresco-global.properties` โ database credentials, LDAP bind passwords, SMTP credentials
- `WEB-INF/classes/alfresco/keystore/ssl.keystore` โ mTLS certificates used for Solr communication
- `WEB-INF/classes/alfresco/keystore/ssl-keystore-passwords.properties` โ keystore passwords
- `META-INF/MANIFEST.MF` โ exact version and build information
NB: If the Alfresco webapp is co-deployed in the same Tomcat, double traversal (`..;/..;/alfresco/...`) reaches the Alfresco WAR, exposing database credentials and keystore material.
## Usage
```
python poc.py -t https://target.com
python poc.py -t https://target.com -f WEB-INF/classes/alfresco-global.properties
python poc.py -t https://target.com --dump
```
## Disclaimer
This tool is provided for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain written permission before testing.