Unauthenticated .NET Remoting Vulnerability in Hyland OnBase Services
CVE-2026-26221
9.3CRITICAL
Key Information:
- Vendor
Hyland
- Vendor
- CVE Published:
- 13 February 2026
What is CVE-2026-26221?
The Hyland OnBase Workflow Timer Service and Workview Timer Service are vulnerable to unauthenticated .NET Remoting exposure, allowing remote attackers to exploit this weakness. By sending specially crafted .NET Remoting requests to standard HTTP channel endpoints on TCP/8900, attackers can trigger unsafe object unmarshalling. This could result in unauthorized file read/write operations, potentially leading to remote code execution. Additionally, attackers may leverage SMB coercion by supplying a UNC path to direct outbound NTLM authentication to malicious hosts. Prompt mitigation is necessary to safeguard against these risks.
Affected Version(s)
OnBase Workflow Timer Service 8.0 <= 17.0.0
References
CVSS V4
Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Victor A. Morales, Senior Pentester Team Leader, GM SecTec Inc.
VulnCheck
