CVE-2026-58138
Summary
by MITRE • 06/30/2026
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. Attackers can exploit unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true) through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands via Java reflection or direct subprocess calls.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/30/2026
The Orkes Conductor vulnerability represents a critical security flaw in workflow orchestration systems that enables unauthenticated remote code execution through improper input validation and unsafe execution environments. This vulnerability affects versions prior to 3.30.2 and stems from the system's handling of inline workflow definitions submitted to the workflow API endpoint before authentication. The flaw allows attackers to execute arbitrary operating system commands by embedding malicious JavaScript or Python expressions within workflow definitions, fundamentally compromising system integrity and security boundaries.
The technical implementation of this vulnerability exploits unsafe GraalVM evaluator configurations that have been explicitly set with HostAccess.ALL or allowAllAccess(true) permissions. These configurations create dangerous execution environments where inline workflow tasks can invoke arbitrary system commands through Java reflection mechanisms or direct subprocess calls. The vulnerability specifically targets INLINE, LAMBDA, DO_WHILE, and SWITCH task types which are designed to execute dynamic code but lack proper sandboxing controls. This design flaw enables attackers to bypass authentication requirements and directly manipulate the underlying operating system through carefully crafted workflow definitions.
The operational impact of this vulnerability extends far beyond simple command execution, creating an attack surface that allows full system compromise and data exfiltration. Attackers can leverage this vulnerability to establish persistent access, escalate privileges, and move laterally within network environments. The unauthenticated nature of the exploit means that any remote attacker with access to the API endpoint can immediately gain system-level privileges without requiring valid credentials or prior access. This makes the vulnerability particularly dangerous in cloud environments where Conductor services might be exposed to untrusted networks or internet-facing systems.
Security mitigations for this vulnerability must address both immediate remediation and architectural improvements to prevent similar flaws in the future. Organizations should immediately upgrade to version 3.30.2 or later to receive the patched configurations that properly restrict HostAccess permissions and implement proper input sanitization for workflow definitions. The system architecture should enforce strict sandboxing of dynamic code execution environments and implement authentication requirements before allowing workflow definition submission. Additionally, organizations should consider implementing network segmentation and access controls around Conductor API endpoints, along with monitoring for suspicious workflow submissions and command execution patterns. This vulnerability aligns with CWE-94 (Improper Control of Generation of Code) and can be mapped to ATT&CK technique T1059.007 (Command and Scripting Interpreter: Python) and T1059.002 (Command and Scripting Interpreter: Visual Basic), demonstrating the broad impact across multiple attack vectors and execution methods commonly used in modern exploitation frameworks.