CVE-2026-26221

N/A Unknown
Published: February 13, 2026 Modified: February 13, 2026
View on NVD

Description

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://community.hyland.com/resources/bulletins-and-notices/223223-security-update-onbase-workflow-timer-service-bulletin-ob2025-03
Source: disclosure@vulncheck.com
https://www.hyland.com/en/solutions/products/onbase
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/hyland-onbase-timer-services-unauthenticated-net-remoting-rce
Source: disclosure@vulncheck.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
1.4%
80th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-502

Related CVEs

CVE-2026-31788 N/A
CVE-2026-23395 N/A
CVE-2026-23394 N/A
CVE-2026-23393 N/A
CVE-2026-23392 N/A