SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-58138 2026-06-30

Orkes Conductor Unauthenticated RCE: CVE-2026-58138

"A critical unauthenticated remote code execution flaw in Orkes Conductor lets attackers run arbitrary OS commands by submitting malicious inline workflow definitions to the workflow API before authentication."

A critical unauthenticated remote code execution flaw in Orkes Conductor lets attackers run arbitrary OS commands by submitting malicious inline workflow definitions to the workflow API before authentication.

What Is It

CVE-2026-58138 is an unauthenticated remote code execution vulnerability (CWE-94, code injection) in Orkes Conductor. Remote attackers can execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. The flaw stems from unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true), which can be abused through the INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke system commands via Java reflection or direct subprocess calls.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) and a CVSS 4.0 score of 9.3 (CRITICAL). The attack vector is network-based with low complexity, requires no privileges and no user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and impacts confidentiality, integrity, and availability at HIGH. Because exploitation occurs before authentication and yields arbitrary command execution, any network-reachable, affected instance is at severe risk of full compromise.

No CISA KEV entry was supplied, so active exploitation is not confirmed in this source material.

What's Vulnerable

Patch Status

The issue is fixed in Orkes Conductor v3.30.2. Upgrading to 3.30.2 or later remediates the flaw. Fix commits are available in the conductor-oss repository (see Sources).

Sources