CVE-2026-26221CRITICAL 9.8EPSS p62.0%

CVE-2026-26221CVE-2026-26221

Description

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.12% probability of exploitation · percentile 62.0% · 2026-06-18T12:00:27Z
Published2026-02-13
Last modified2026-04-15

Underlying weaknesses· 1

CWE-502

References

  1. https://community.hyland.com/resources/bulletins-and-notices/223223-security-update-onbase-workflow-timer-service-bulletin-ob2025-03
  2. https://www.hyland.com/en/solutions/products/onbase
  3. https://www.vulncheck.com/advisories/hyland-onbase-timer-services-unauthenticated-net-remoting-rce

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26339
CVE
CVE-2026-26337
CVE
CVE-2026-26222
CVE
CVE-2026-23751
CVE
CVE-2026-0611
CVE
CVE-2026-26333
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.