Hyland OnBase Workflow Timer Service exposes files to unauthorized access

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

10.0

Hyland OnBase Workflow Timer Service exposes files to unauthorized access

CVE-2026-26221

Summary

Hyland OnBase's Workflow Timer Service may allow an attacker to access and modify sensitive files on the server. This could potentially lead to unauthorized data exposure or even allow an attacker to run malicious code on the server. To mitigate this, ensure the Workflow Timer Service is not exposed to the internet and consider implementing additional security measures to restrict access to the service.

Original title

Original description

Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

nvd CVSS4.0 10.0

Vulnerability type

CWE-502 Deserialization of Untrusted Data

Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026