CVE-2026-58138
Orkes · Conductor
Orkes Conductor is vulnerable to unauthenticated remote code execution via malicious workflow definitions that exploit improperly configured GraalVM evaluators.
Executive summary
Orkes Conductor contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary OS commands via the workflow API.
Vulnerability
The vulnerability allows an unauthenticated attacker to submit workflow definitions containing malicious expressions. Because the GraalVM evaluators are configured with excessive permissions (HostAccess.ALL), these expressions can trigger system-level commands through Java reflection or direct sub-processes.
Business impact
With a CVSS score of 9.8, this is a critical vulnerability that grants an attacker full control over the host operating system. The potential for total system compromise, lateral movement, and complete loss of confidentiality and integrity necessitates an immediate and prioritized response.
Remediation
Immediate Action: Upgrade to version 3.30.2 or later to ensure that workflow evaluators are correctly sandboxed and restricted.
Proactive Monitoring: Monitor API logs for suspicious workflow submissions, particularly those containing inline scripts or unexpected task types (INLINE, LAMBDA, etc.).
Compensating Controls: Restrict access to the Conductor workflow API endpoint via network-level controls or authentication proxies until the patch can be applied.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This remote code execution flaw poses an extreme risk to the environment. It is imperative that all affected Conductor instances are updated to the secure version immediately. Failure to patch will leave the underlying infrastructure exposed to complete takeover by remote, unauthenticated actors.