Description
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
Published: 2026-02-13
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Remediation
AI Analysis

Impact

Hyland OnBase allows an unauthenticated attacker to send crafted .NET Remoting requests to the Workflow Timer Service (Hyland.Core.Workflow.NTService.exe) over TCP/8900. The server performs unsafe object unmarshalling, giving the attacker the power to read or write arbitrary files and, by inserting content into web‑accessible locations or chaining with other OnBase features, to execute code remotely. The same mechanism can be used to supply a UNC path that coerces the server into performing outbound NTLM authentication to an attacker‑controlled SMB host, potentially enabling further compromise. This vulnerability is classified under CWE‑502.

Affected Systems

Hyland OnBase Workflow Timer Service, named Hyland:OnBase Workflow Timer Service. No specific product versions were listed in the advisory.

Risk and Exploitability

The CVSS base score of 9.3 marks this as high severity. The EPSS score is below 1%, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑directed exploitation of the exposed .NET Remoting endpoint on port 8900, requiring only that the attacker can reach the service. Successful exploitation grants read/write access to critical files and can lead to remote code execution. The risk therefore remains significant for any exposed instance of the Timer Service, even if exploitation is currently rare.

Generated by OpenCVE AI on April 15, 2026 at 15:13 UTC.

Remediation

Vendor Workaround

It is recommended that customers immediately convert to the in-servicing module, Unity Scheduler, and uninstall the Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). Starting with OnBase 16, Unity Scheduler is the recommended replacement. It is recommended customers using versions prior to 16 upgrade to an in-servicing release of OnBase and leverage Unity Scheduler.

OpenCVE Recommended Actions

  • Convert immediately to the Unity Scheduler in‑servicing module and uninstall the Workflow Timer Service (Hyland.Core.Workflow.NTService.exe).
  • Upgrade the OnBase installation to version 16 or later, which recommends the Unity Scheduler and removes the vulnerable timer service.
  • If migration has not yet been completed, block or disable inbound traffic on TCP/8900 to eliminate the exposed .NET Remoting endpoint.

Generated by OpenCVE AI on April 15, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Hyland onbase
CPEs cpe:2.3:a:hyland:onbase:*:*:*:*:*:*:*:*
Vendors & Products Hyland onbase

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Hyland
Hyland onbase Workflow Timer Service
Hyland onbase Workview Timer Service
Vendors & Products Hyland
Hyland onbase Workflow Timer Service
Hyland onbase Workview Timer Service

Fri, 13 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
References

Fri, 13 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe) and is also reported by the vendor to impact the Workview Timer Service (an impacted version range is undefined). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host. Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.

Fri, 13 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe) and is also reported by the vendor to impact the Workview Timer Service (an impacted version range is undefined). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
Title Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Hyland Onbase Onbase Workflow Timer Service Onbase Workview Timer Service
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T23:37:31.178Z

Reserved: 2026-02-11T20:08:07.945Z

Link: CVE-2026-26221

cve-icon Vulnrichment

Updated: 2026-02-13T15:37:30.868Z

cve-icon NVD

Status : Deferred

Published: 2026-02-13T16:16:11.683

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses