CVE-2026-26221

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-26221
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://community.hyland.com/resources/bulletins-and-notices/223223-security-update-onbase-workflow-timer-service-bulletin-ob2025-03
https://www.hyland.com/en/solutions/products/onbase
https://www.vulncheck.com/advisories/hyland-onbase-timer-services-unauthenticated-net-remoting-rce
Configurations

No configuration.

History

14 Apr 2026, 00:16

Type Values Removed Values Added
Summary
  • (es) Hyland OnBase contiene una exposición de .NET Remoting sin autenticación en el Servicio de Temporizador de Flujo de Trabajo de OnBase (Hyland.Core.Workflow.NTService.exe). Un atacante que puede alcanzar el servicio puede enviar solicitudes de .NET Remoting manipuladas a los puntos finales de canal HTTP predeterminados en TCP/8900 (p. ej., TimerServiceAPI.rem y TimerServiceEvents.rem para Flujo de Trabajo) para activar la deserialización insegura de objetos, lo que permite la lectura/escritura arbitraria de archivos. Al escribir contenido controlado por el atacante en ubicaciones accesibles por la web o encadenando con otras características de OnBase, esto puede llevar a la ejecución remota de código. La misma primitiva puede ser abusada al proporcionar una ruta UNC para forzar la autenticación NTLM saliente (coerción SMB) a un host controlado por el atacante.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

13 Feb 2026, 18:16

Type Values Removed Values Added
Summary (en) Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe) and is also reported by the vendor to impact the Workview Timer Service (an impacted version range is undefined). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host. (en) Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
References
  • {'url': 'https://community.hyland.com/resources/bulletins-and-notices/210540-security-update-hyland-timer-service-bulletin-ob2025-02', 'source': 'disclosure@vulncheck.com'}

13 Feb 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-13 16:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-26221

Mitre link : CVE-2026-26221

CVE.ORG link : CVE-2026-26221

JSON object : View

Products Affected

No product.

CWE
CWE-502

Deserialization of Untrusted Data