Cyber Resilience

CVE-2026-26221

CriticalPublic PoCRCE

Published: 13 February 2026

Published
13 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0112 62.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26221 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Hyland OnBase (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service executable Hyland.Core.Workflow.NTService.exe. The flaw permits unsafe object unmarshalling when crafted requests reach default HTTP channel endpoints such as TimerServiceAPI.rem and TimerServiceEvents.rem on TCP port 8900, resulting in arbitrary file read and write operations. The same primitive can be used to supply a UNC path that coerces outbound NTLM authentication.

An attacker who can reach the service over the network can exploit the exposure without authentication or user interaction. Successful exploitation yields arbitrary file access that can be chained to achieve remote code execution by writing attacker-controlled content into web-accessible locations or by abusing other OnBase features. The SMB coercion capability further allows an attacker to capture NTLM hashes from the affected host.

The Hyland security bulletin OB2025-03 and related advisories describe the issue and direct customers to apply the vendor-supplied update for the Workflow Timer Service. The references also point to the official OnBase product page and an independent analysis confirming the unauthenticated .NET Remoting vector.

EPSS for the CVE rose from a low starting value of 0.0082 to a peak of 0.0142, indicating emerging exploitation interest after disclosure. No additional real-world exploitation details are provided in the source data.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for…

more

Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1557.001 Name Resolution Poisoning and SMB Relay Credential Access
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.
Why these techniques?

Unauthenticated remote exploitation of public-facing service (T1190) enables arbitrary file reads (T1005), web shell deployment via file writes to web directories (T1505.003), and SMB coercion for NTLM relay attacks (T1557.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2017-20207Shared CWE-502
CVE-2025-31103Shared CWE-502
CVE-2026-3296Shared CWE-502
CVE-2026-27369Shared CWE-502
CVE-2026-25031Shared CWE-502
CVE-2025-55010Shared CWE-502
CVE-2026-25029Shared CWE-502
CVE-2017-20208Shared CWE-502
CVE-2026-35537Shared CWE-502
CVE-2026-2471Shared CWE-502

Affected Assets

Hyland
OnBase
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before allowing any access to the Workflow Timer Service endpoints on TCP/8900, blocking the unauthenticated .NET Remoting requests that trigger unsafe unmarshalling.

prevent

Restricts network traffic to the exposed TimerServiceAPI.rem and TimerServiceEvents.rem endpoints, preventing an attacker from reaching the unauthenticated .NET Remoting channel from external hosts.

prevent

Requires identification and authentication of any subject attempting to connect to the Workflow Timer Service, eliminating the unauthenticated access path that enables arbitrary file read/write and SMB coercion.

References