Unauthenticated .NET Remoting Vulnerability in Hyland OnBase Services
CVE-2026-26221

9.3CRITICAL

Key Information:

Vendor

Hyland

Vendor
CVE Published:
13 February 2026

What is CVE-2026-26221?

The Hyland OnBase Workflow Timer Service and Workview Timer Service are vulnerable to unauthenticated .NET Remoting exposure, allowing remote attackers to exploit this weakness. By sending specially crafted .NET Remoting requests to standard HTTP channel endpoints on TCP/8900, attackers can trigger unsafe object unmarshalling. This could result in unauthorized file read/write operations, potentially leading to remote code execution. Additionally, attackers may leverage SMB coercion by supplying a UNC path to direct outbound NTLM authentication to malicious hosts. Prompt mitigation is necessary to safeguard against these risks.

Affected Version(s)

OnBase Workflow Timer Service 8.0 <= 17.0.0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Victor A. Morales, Senior Pentester Team Leader, GM SecTec Inc.
VulnCheck
.