Critical (9.8)

Orkes Conductor unauth RCE (CVE-2026-58138) [PoC]

CVE-2026-58138

CVE-2026-58138 is a critical unauthenticated RCE in Orkes Conductor 3.21.21-3.30.1 that allows arbitrary OS command execution. Update to version 3.30.2 or later immediately.

Exploitation confirmed - public proof-of-concept - CVE-2026-58138 is a critical unauthenticated remote code execution in Orkes Conductor versions 3.21.21 through 3.30.1 that lets attackers execute arbitrary OS commands on the server without any credentials. Patched in version 3.30.2 - update immediately.

Overview

CVE-2026-58138 affects Orkes Conductor, a workflow orchestration platform. The vulnerability allows unauthenticated remote attackers to submit malicious workflow definitions via the workflow API endpoint before any authentication check occurs. These definitions can contain inline JavaScript or Python expressions that are evaluated by unsandboxed GraalVM evaluators.

The vulnerability exists when GraalVM evaluators are configured with HostAccess.ALL or allowAllAccess(true). Attackers exploit this through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands using Java reflection or direct subprocess calls.

With a CVSS score of 9.8 (Critical), this vulnerability requires no privileges, no user interaction, and can be exploited over the network with low complexity.

Impact

Successful exploitation grants attackers complete control over the affected Orkes Conductor server. Attackers can execute any OS command, access sensitive data, modify workflow definitions, install persistent backdoors, or pivot to internal network resources. The unauthenticated nature of this vulnerability means any system exposed to the internet is at immediate risk.

Remediation

Immediate Action: Upgrade Orkes Conductor to version 3.30.2 or later. This version addresses the GraalVM sandbox bypass by properly restricting evaluator access.

Mitigation Steps:

  • Verify your Orkes Conductor version: check the application version in the admin console or via API.
  • If immediate patching is not possible, restrict network access to the workflow API endpoint to trusted IP addresses only.
  • Review GraalVM evaluator configurations and ensure HostAccess.ALL or allowAllAccess(true) is not enabled.
  • Monitor for suspicious workflow submissions containing inline script expressions.

Security Insight

This vulnerability highlights a recurring pattern in workflow and automation platforms - exposing script evaluation engines before authentication. Similar issues have been seen in Apache NiFi and Node-RED where inline expression evaluation becomes an RCE vector when sandboxing is misconfigured. The fact that GraalVM’s HostAccess.ALL bypass requires no authentication suggests Orkes Conductor’s security review process needs to include pre-authentication attack surface analysis for all API endpoints that accept user-controlled code.

For the latest data breach reports, visit breach reports. For current cybersecurity news, see security news.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository Stars
BiiTts/CVE-2026-58138-Conductor-Unauth-RCE

CVE-2026-58138 — Conductor (3.21.21..<3.30.2) unauthenticated RCE via INLINE GraalVM evaluator (HostAccess.ALL). Lab + PoC, verified e2e (root).

★ 0

Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.