Description
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. Attackers can exploit unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true) through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands via Java reflection or direct subprocess calls.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Orkes Conductor 3.21.21 and earlier versions before 3.30.2 contain an unauthenticated remote code execution flaw. The defect allows attackers to submit inline workflow definitions that include malicious JavaScript or Python expressions to the workflow API endpoint before any authentication is performed. Because GraalVM evaluators are configured with unsandboxed HostAccess.ALL or allowAllAccess(true) across INLINE, LAMBDA, DO_WHILE, and SWITCH task types, an attacker can invoke arbitrary system commands through Java reflection or subprocess calls, giving full control over the host operating system.

Affected Systems

The vulnerable component is Orkes Conductor OSS, versions 3.21.21 up to, but not including, 3.30.2. Any installation using these older releases is affected irrespective of deployment topology.

Risk and Exploitability

The flaw is scored with a CVSS base of 9.3, indicating critical severity. The EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog. Attackers can reach the workflow API endpoint without authentication, making exploitation feasible in publicly exposed deployments. Once a malicious workflow definition is delivered, the unsandboxed GraalVM environment will execute the embedded code, yielding remote code execution with the privileges of the Conductor service process.

Generated by OpenCVE AI on June 30, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Orkes Conductor to version 3.30.2 or later to remove the unsandboxed GraalVM evaluator configuration.
  • If an upgrade cannot be performed immediately, reconfigure the Conductor installation to disable inline script execution or limit HostAccess to a safe mode that rejects JavaScript/Python task types.
  • Protect the workflow API endpoint by configuring authentication requirements or firewall rules so that only authorized users can submit workflows before the appliance is fully authenticated.

Generated by OpenCVE AI on June 30, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. Attackers can exploit unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true) through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands via Java reflection or direct subprocess calls.
Title Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T18:44:12.734Z

Reserved: 2026-06-29T14:13:18.385Z

Link: CVE-2026-58138

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T20:30:04Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')