CVE-2026-26221— Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-26221
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE
Source: NVD (National Vulnerability Database)
Vulnerability Description
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Hyland Software Hyland OnBase 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Hyland Software Hyland OnBase是美国Hyland Software公司的一款用于展示企业信息管理、流程的平台。 Hyland Software Hyland OnBase存在安全漏洞,该漏洞源于OnBase Workflow Timer Service存在未经身份验证的.NET Remoting暴露,可能导致发送特制.NET Remoting请求触发不安全的对象反序列化,从而实现任意文件读写,进而导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Hyland | OnBase Workflow Timer Service | 8.0 ~ 17.0.* | - |
II. Public POCs for CVE-2026-26221
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/mbanyamer/CVE-2026-26221-Hyland-OnBase-Timer-Service-Unauthenticated-RCE | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-26221
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Hyland
- CVE-2026-26339
Hyland Alfresco Transformation Service Argument Injection RC - CVE-2026-26338
Hyland Alfresco Transformation Service SSRF - CVE-2026-26337
Hyland Alfresco Transformation Service Absolute Path Travers - CVE-2026-26336
Hyland Alfresco Improper Authorization Arbitrary File Read - CVE-2025-0557
Hyland Alfresco Community Edition URL s cross site scripting
Same weakness: CWE-502
- CVE-2026-44126
Insecure deserialization - CVE-2026-5127
User Frontend: AI Powered Frontend Posting, User Directory, - CVE-2026-41586
ObjectInputStream.readObject() without ObjectInputFilter in - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2026-7712
MindsDB Pickle pickle.loads deserialization
V. Comments for CVE-2026-26221
No comments yet