CVE-2026-58138
Received Received - Intake

Unauthenticated Remote Code Execution in Orkes Conductor

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. Attackers can exploit unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true) through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands via Java reflection or direct subprocess calls.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58138
EUVD
EUVD-2026-40377

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
orkes conductor to 3.30.2 (exc)
orkes conductor 3.30.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58138 is an unauthenticated remote code execution vulnerability in Orkes Conductor versions before 3.30.2. It allows remote attackers to execute arbitrary operating system commands by submitting malicious inline workflow definitions containing JavaScript or Python expressions to the workflow API endpoint before authentication.

The vulnerability exploits unsandboxed GraalVM script evaluators configured with excessive permissions (HostAccess.ALL or allowAllAccess(true)) through task types like INLINE, LAMBDA, DO_WHILE, and SWITCH. Attackers can invoke arbitrary system commands via Java reflection or direct subprocess calls.

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to execute arbitrary OS commands on the affected system without any authentication.

Exploitation can lead to full system compromise, including unauthorized access, data theft, system manipulation, or disruption of services.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious workflow API requests that include inline workflow definitions containing JavaScript or Python expressions prior to authentication.

Specifically, look for API calls to the workflow endpoint that submit INLINE, LAMBDA, DO_WHILE, or SWITCH task types with suspicious code snippets that might invoke system commands via Java reflection or subprocess calls.

Network or system detection commands could include inspecting HTTP request logs or using tools like curl or wget to simulate malicious payloads for testing.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic to the workflow API endpoint for suspicious payloads.
  • Search application logs for workflow API requests containing suspicious JavaScript or Python code patterns.
  • Example command to search logs for suspicious JavaScript or Python expressions: grep -E '(INLINE|LAMBDA|DO_WHILE|SWITCH)' /path/to/conductor/logs/* | grep -E '(Runtime|ProcessBuilder|System|Thread)'
  • Use curl to test the workflow API endpoint with a crafted payload to see if the system executes commands without authentication (only in a controlled test environment).
Mitigation Strategies

The immediate mitigation step is to upgrade Orkes Conductor to version 3.30.2 or later, where the vulnerability has been fixed by restricting GraalVM script evaluator permissions and disabling unsafe host access.

If upgrading immediately is not possible, restrict access to the workflow API endpoint to trusted networks or users to prevent unauthenticated access.

Apply security patches that disable unsafe operations in the GraalJS and Python evaluators, such as disabling host class loading, native access, thread and process creation, I/O operations, and environment access.

  • Upgrade to Orkes Conductor version 3.30.2 or later.
  • Restrict network access to the workflow API endpoint.
  • Apply configuration changes or patches that disable HostAccess.ALL or allowAllAccess(true) in GraalVM evaluators.
  • Review and apply the security commits c691e35 and 87a7d96 to harden GraalJS and Python evaluators.
Compliance Impact

CVE-2026-58138 allows unauthenticated remote attackers to execute arbitrary operating system commands on affected Orkes Conductor systems. This critical security flaw can lead to full system compromise, including unauthorized access to sensitive data and disruption of system availability.

Such a vulnerability poses significant risks to compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability of systems. Exploitation of this vulnerability could result in data breaches, unauthorized data access, and system outages, all of which are violations of these regulatory requirements.

Organizations using vulnerable versions of Orkes Conductor may face increased risk of non-compliance, potential legal penalties, and reputational damage if this vulnerability is exploited and leads to data exposure or service disruption.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart