CVE-2026-26221

CRITICAL

Hyland OnBase - Unauthenticated RCE

Title source: llm

Description

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26221

View Code ZIP pw:eip

github WORKING POC

by mbanyamer · pythonpoc

https://github.com/mbanyamer/CVE-2026-26221-Hyland-OnBase-Timer-Service-Unauthenticated-RCE

View Code ZIP pw:eip

References (3)

[Various Sources] https://www.hyland.com/en/solutions/products/onbase

[Various Sources] https://community.hyland.com/resources/bulletins-and-notices/223223-security-update-onbase-workflow-timer-service-bulletin-ob2025-03

[Third Party Advisory] https://www.vulncheck.com/advisories/hyland-onbase-timer-services-unauthenticated-net-remoting-rce

Scores

CVSS v3 9.8

EPSS 0.0062

EPSS Percentile 70.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

Hyland/OnBase Workflow Timer Service 8.0 - 17.0.*

Hyland/OnBase Workflow Timer Service 8.0 - 17.0.x

Published Feb 13, 2026

Tracked Since Feb 18, 2026