CVE-2026-26221
Unauthenticated .NET Remoting Leads to RCE in Hyland OnBase
Publication date: 2026-02-13
Last updated on: 2026-04-14
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hyland | onbase | 8.0 |
| hyland | onbase | 17.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26221 is a critical vulnerability in the Hyland OnBase Workflow Timer Service and Workview Timer Service that allows unauthenticated attackers to exploit .NET Remoting endpoints on TCP port 8900. By sending specially crafted .NET Remoting requests, the attacker triggers unsafe object unmarshalling, which enables arbitrary file read and write operations.
This unsafe deserialization can be leveraged to write attacker-controlled content into web-accessible locations or combined with other OnBase features to achieve remote code execution. Additionally, the vulnerability can be abused to coerce outbound NTLM authentication via SMB coercion by supplying a UNC path pointing to an attacker-controlled host.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on affected systems without any authentication or user interaction.
- Attackers can read and write arbitrary files on the system.
- Remote code execution can lead to full system compromise.
- Attackers can coerce outbound NTLM authentication to attacker-controlled hosts, potentially leading to credential theft or further network attacks.
Given the critical CVSS score of 10.0, the vulnerability poses a high risk to confidentiality, integrity, and availability of affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the Hyland OnBase Workflow Timer Service or Workview Timer Service listening on TCP port 8900. An attacker can send specially crafted .NET Remoting requests to default HTTP channel endpoints such as TimerServiceAPI.rem and TimerServiceEvents.rem on this port.
To detect potential exploitation or presence of the vulnerable service, you can scan your network for open TCP port 8900 on hosts running Hyland OnBase services.
- Use a network scanning tool like nmap to identify hosts with port 8900 open: nmap -p 8900 <target-ip>
- Use curl or similar HTTP client to send a test request to the endpoints to see if the service responds: curl http://<target-ip>:8900/TimerServiceAPI.rem
- Monitor network traffic for unusual .NET Remoting requests or SMB authentication attempts that could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the vulnerable services on TCP port 8900 to trusted hosts only, such as by using firewall rules.
If possible, disable or stop the OnBase Workflow Timer Service and Workview Timer Service until a patch or update is applied.
Monitor logs and network traffic for suspicious activity related to .NET Remoting requests or SMB coercion attempts.
Contact Hyland for official patches or updates addressing this vulnerability and apply them as soon as they become available.