CVE-2026-26221

CRITICAL 9.8

Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE

CVSS Score

9.8

EPSS Score

0.8%

EPSS Percentile

74th

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

CWE	CWE-502
Vendor	hyland
Product	onbase workflow timer service
Published	Feb 13, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for hyland onbase workflow timer service

Be the first to know when new critical vulnerabilities affecting hyland onbase workflow timer service are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Hyland / OnBase Workflow Timer Service

8.0 ≤ 17.0.*

References

NVD ↗ CVE.org ↗ EPSS Data ↗

hyland.com: https://www.hyland.com/en/solutions/products/onbase community.hyland.com: https://community.hyland.com/resources/bulletins-and-notices/223223-security-update-onbase-workflow-timer-service-bulletin-ob2025-03 vulncheck.com: https://www.vulncheck.com/advisories/hyland-onbase-timer-services-unauthenticated-net-remoting-rce

Credits

Victor A. Morales, Senior Pentester Team Leader, GM Sectec, Corp. VulnCheck