Onbase Workflow Timer Service
Approved changes feed: RSS · Atom
cpe:2.3:a:hyland:onbase_workflow_timer_service:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Hyland (4cbf6081-43e8-5c1e-b8e8-d0a0dad432d9) |
|---|---|
| Product | Onbase Workflow Timer Service (ce86a9a9-6ba9-5be0-b3f4-b5940f5d3944) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-26221 |
vulnerable | 2026-06-03 15:18:05.430041 |
Hyland OnBase Timer Service Unauthenticated .NET Remoting RCE
CRITICAL (9.8)
Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
Published: 2026-02-13T15:21:48.928Z
Updated: 2026-05-25T23:41:44.966Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.