A critical unauthenticated remote code execution flaw in Orkes Conductor lets attackers run arbitrary OS commands by submitting malicious inline workflow definitions to the workflow API before authentication.
What Is It
CVE-2026-58138 is an unauthenticated remote code execution vulnerability (CWE-94, code injection) in Orkes Conductor. Remote attackers can execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. The flaw stems from unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true), which can be abused through the INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke system commands via Java reflection or direct subprocess calls.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) and a CVSS 4.0 score of 9.3 (CRITICAL). The attack vector is network-based with low complexity, requires no privileges and no user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and impacts confidentiality, integrity, and availability at HIGH. Because exploitation occurs before authentication and yields arbitrary command execution, any network-reachable, affected instance is at severe risk of full compromise.
No CISA KEV entry was supplied, so active exploitation is not confirmed in this source material.
What's Vulnerable
- Vendor/Product: conductor-oss / conductor (Orkes Conductor)
- Affected versions: 3.21.21 up to (but not including) 3.30.2 (semver)
- Repository: https://github.com/conductor-oss/conductor
Patch Status
The issue is fixed in Orkes Conductor v3.30.2. Upgrading to 3.30.2 or later remediates the flaw. Fix commits are available in the conductor-oss repository (see Sources).
Sources
- NVD, CVE-2026-58138 (published 2026-06-30, CVSS 9.8): https://www.cve.org/CVERecord?id=CVE-2026-58138
- VulnCheck Advisory; Orkes Conductor Unauthenticated RCE via GraalVM Script Evaluators: https://www.vulncheck.com/advisories/orkes-conductor-unauthenticated-rce-via-graalvm-script-evaluators
- Fixed release; Conductor v3.30.2: https://github.com/conductor-oss/conductor/releases/tag/v3.30.2
- Fix commit 87a7d96: https://github.com/conductor-oss/conductor/commit/87a7d96aabbb706d6e84f812b93da5165028d18f
- Fix commit c691e35: https://github.com/conductor-oss/conductor/commit/c691e35e768caeb802c9f06ecdd9674c80081af1