CVE-2026-26221 is a critical security vulnerability affecting Hyland OnBase Workflow Timer Service version 8.0. The flaw arises from an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe) and potentially the Workview Timer Service, allowing attackers to send specially crafted .NET Remoting requests to default HTTP channel endpoints on TCP port 8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem). These requests trigger unsafe deserialization of untrusted data (CWE-502), enabling arbitrary file read and write operations on the target system. By writing attacker-controlled content into locations accessible via the web or chaining with other OnBase features, attackers can achieve remote code execution (RCE). Furthermore, the vulnerability can be exploited to coerce outbound NTLM authentication through SMB coercion by supplying UNC paths, potentially allowing attackers to capture NTLM hashes or perform relay attacks. The vulnerability requires no authentication or user interaction and affects OnBase version 8.0. The CVSS 4.0 base score is 10, reflecting the critical nature of this vulnerability with network attack vector, low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability. Although no public exploits are currently known, the exposure of TCP port 8900 endpoints and the severity of the flaw make it a high-risk target for attackers. The vendor has not yet defined the impacted version range for the Workview Timer Service, indicating potential wider impact. The vulnerability demands urgent attention to prevent compromise of OnBase deployments.

For European organizations, the impact of CVE-2026-26221 is severe. Hyland OnBase is widely used in sectors such as healthcare, government, finance, and legal services across Europe for document management and workflow automation. Exploitation can lead to full system compromise, including unauthorized access to sensitive documents, disruption of critical business workflows, and potential data breaches involving personal and confidential information protected under GDPR. The ability to write arbitrary files and execute code remotely can allow attackers to deploy ransomware, steal intellectual property, or establish persistent footholds within networks. The SMB coercion aspect increases risk by enabling credential theft and lateral movement within corporate networks, exacerbating the threat landscape. Organizations with OnBase services exposed to untrusted networks or insufficiently segmented internal networks are particularly vulnerable. The critical severity and unauthenticated nature of the vulnerability mean that attackers can exploit it remotely without prior access, increasing the likelihood of targeted attacks against European entities using OnBase 8.0.

1. Immediate application of vendor patches or updates once released is paramount; monitor Hyland advisories closely for official fixes addressing this vulnerability. 2. Until patches are available, restrict network access to TCP port 8900 on OnBase Workflow Timer Service hosts using firewalls or network segmentation to allow only trusted management systems. 3. Disable or block .NET Remoting HTTP channels if not required for business operations to reduce attack surface. 4. Implement strict egress filtering to prevent outbound SMB connections to untrusted hosts, mitigating SMB coercion attacks. 5. Conduct thorough network scans to identify exposed OnBase services and remediate exposure by moving services behind VPNs or internal-only networks. 6. Monitor logs for unusual .NET Remoting requests or unexpected file writes in web-accessible directories. 7. Employ endpoint detection and response (EDR) solutions to detect anomalous process behavior indicative of exploitation attempts. 8. Review and harden OnBase configuration to minimize unnecessary features or services that could be chained for exploitation. 9. Train IT and security teams on this specific vulnerability to ensure rapid detection and response. 10. Consider deploying network intrusion detection/prevention systems (IDS/IPS) with signatures targeting this vulnerability once available.