CVE-2026-26221 is a critical security vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting Hyland OnBase Workflow Timer Service version 8.0. The vulnerability arises from an unauthenticated exposure of the .NET Remoting interface in the OnBase Workflow Timer Service executable (Hyland.Core.Workflow.NTService.exe). This service listens on TCP port 8900 and exposes default HTTP channel endpoints such as TimerServiceAPI.rem and TimerServiceEvents.rem. An attacker with network access to this port can send specially crafted .NET Remoting requests that exploit unsafe deserialization processes within the service. This unsafe object unmarshalling allows attackers to perform arbitrary file read and write operations on the host system. By writing attacker-controlled content into web-accessible directories or leveraging other OnBase features, attackers can escalate this to remote code execution (RCE). Furthermore, the vulnerability can be exploited to coerce the service into initiating outbound NTLM authentication requests by supplying a UNC path, enabling SMB relay or credential capture attacks. The vulnerability requires no authentication or user interaction, making it trivially exploitable over the network. The CVSS 4.0 vector indicates network attack vector, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability, resulting in a maximum base score of 10. No official patches or mitigations are listed yet, and no known exploits have been observed in the wild as of the publication date. This vulnerability poses a severe risk to organizations using OnBase Workflow Timer Service, particularly those exposing the service to untrusted networks or lacking proper network segmentation and firewall controls.

The impact of CVE-2026-26221 is severe and multifaceted. Successful exploitation allows unauthenticated remote attackers to read and write arbitrary files on the affected system, potentially leading to data theft, data manipulation, or destruction. The ability to write files into web-accessible locations or other critical directories can enable remote code execution, allowing attackers to execute arbitrary commands with the privileges of the OnBase Workflow Timer Service. This can lead to full system compromise, lateral movement within the network, and persistent footholds. Additionally, the SMB coercion technique can be used to capture or relay NTLM credentials, facilitating further network compromise and privilege escalation. Organizations relying on OnBase for document management and workflow automation may face operational disruptions, data breaches, and compliance violations. The vulnerability's unauthenticated nature and network accessibility significantly increase the risk of widespread exploitation, especially in environments where the service is exposed to untrusted networks or insufficiently segmented internal networks.

1. Immediate network-level mitigation: Restrict access to TCP port 8900 on the OnBase Workflow Timer Service host using firewalls or network segmentation to allow only trusted management systems or internal networks. 2. Disable or block the .NET Remoting HTTP channel endpoints (TimerServiceAPI.rem and TimerServiceEvents.rem) if not required for business operations. 3. Monitor network traffic for unusual or unauthorized .NET Remoting requests targeting port 8900, and implement intrusion detection/prevention rules to detect exploitation attempts. 4. Implement SMB signing and enforce NTLM authentication restrictions to mitigate SMB coercion attacks. 5. Apply the official security patch or update from Hyland as soon as it becomes available; coordinate with Hyland support for timelines and interim mitigations. 6. Conduct a thorough audit of OnBase Workflow Timer Service configurations and logs to detect any signs of compromise or exploitation attempts. 7. Educate IT and security teams about this vulnerability and ensure incident response plans include scenarios involving deserialization attacks and NTLM relay techniques. 8. Consider isolating OnBase Workflow Timer Service hosts in dedicated network segments with strict access controls to minimize exposure.