Impact
Orkes Conductor 3.21.21 and earlier versions before 3.30.2 contain an unauthenticated remote code execution flaw. The defect allows attackers to submit inline workflow definitions that include malicious JavaScript or Python expressions to the workflow API endpoint before any authentication is performed. Because GraalVM evaluators are configured with unsandboxed HostAccess.ALL or allowAllAccess(true) across INLINE, LAMBDA, DO_WHILE, and SWITCH task types, an attacker can invoke arbitrary system commands through Java reflection or subprocess calls, giving full control over the host operating system.
Affected Systems
The vulnerable component is Orkes Conductor OSS, versions 3.21.21 up to, but not including, 3.30.2. Any installation using these older releases is affected irrespective of deployment topology.
Risk and Exploitability
The flaw is scored with a CVSS base of 9.3, indicating critical severity. The EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog. Attackers can reach the workflow API endpoint without authentication, making exploitation feasible in publicly exposed deployments. Once a malicious workflow definition is delivered, the unsandboxed GraalVM environment will execute the embedded code, yielding remote code execution with the privileges of the Conductor service process.
OpenCVE Enrichment