Unauthenticated Remote Code Execution in Orkes Conductor by Orkes
CVE-2026-58138

9.3CRITICAL

Key Information:

Vendor

Conductor-oss

Status
Conductor
Vendor
CVE Published:
30 June 2026

What is CVE-2026-58138?

An unauthenticated remote code execution vulnerability in Orkes Conductor versions prior to 3.30.2 could allow remote attackers to execute arbitrary operating system commands by submitting malicious JavaScript or Python expressions through workflow definitions to the workflow API endpoint without authentication. The exploit leverages unsandboxed GraalVM evaluators configured with extensive access permissions, enabling the invocation of arbitrary system commands on the server.

Affected Version(s)

conductor 3.21.21

References

https://github.com/conductor-oss/conductor/releases/tag/v...
release-notes
https://github.com/conductor-oss/conductor/commit/87a7d96...
patch
https://github.com/conductor-oss/conductor/commit/c691e35...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

seqradev
.