CVE-2026-26221
Published: 13 February 2026
Summary
CVE-2026-26221 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Hyland OnBase (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service executable Hyland.Core.Workflow.NTService.exe. The flaw permits unsafe object unmarshalling when crafted requests reach default HTTP channel endpoints such as TimerServiceAPI.rem and TimerServiceEvents.rem on TCP port 8900, resulting in arbitrary file read and write operations. The same primitive can be used to supply a UNC path that coerces outbound NTLM authentication.
An attacker who can reach the service over the network can exploit the exposure without authentication or user interaction. Successful exploitation yields arbitrary file access that can be chained to achieve remote code execution by writing attacker-controlled content into web-accessible locations or by abusing other OnBase features. The SMB coercion capability further allows an attacker to capture NTLM hashes from the affected host.
The Hyland security bulletin OB2025-03 and related advisories describe the issue and direct customers to apply the vendor-supplied update for the Workflow Timer Service. The references also point to the official OnBase product page and an independent analysis confirming the unauthenticated .NET Remoting vector.
EPSS for the CVE rose from a low starting value of 0.0082 to a peak of 0.0142, indicating emerging exploitation interest after disclosure. No additional real-world exploitation details are provided in the source data.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7376
Vulnerability details
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for…
more
Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing service (T1190) enables arbitrary file reads (T1005), web shell deployment via file writes to web directories (T1505.003), and SMB coercion for NTLM relay attacks (T1557.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before allowing any access to the Workflow Timer Service endpoints on TCP/8900, blocking the unauthenticated .NET Remoting requests that trigger unsafe unmarshalling.
Restricts network traffic to the exposed TimerServiceAPI.rem and TimerServiceEvents.rem endpoints, preventing an attacker from reaching the unauthenticated .NET Remoting channel from external hosts.
Requires identification and authentication of any subject attempting to connect to the Workflow Timer Service, eliminating the unauthenticated access path that enables arbitrary file read/write and SMB coercion.