CVE-2026-58138

Source
https://cve.org/CVERecord?id=CVE-2026-58138
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58138.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58138
Published
2026-06-30T18:44:12.734Z
Modified
2026-07-08T08:12:11.362019089Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators
Details

Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. Attackers can exploit unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true) through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands via Java reflection or direct subprocess calls.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58138.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/conductor-oss/conductor

Affected ranges

Type
GIT
Repo
https://github.com/conductor-oss/conductor
Events
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "3.21.21"
        },
        {
            "fixed": "3.30.2"
        }
    ]
}

Affected versions

v3.*
v3.21.21
v3.21.22
v3.21.23
v3.21.24-rc.1
v3.22.0
v3.22.0-beta
v3.22.1
v3.22.2
v3.22.3
v3.23.0
v3.3.0.rc3
v3.3.0.rc4
v3.3.0.rc5
v3.3.0.rc6
v3.3.0.rc7
v3.3.0.rc8
v3.30.0
v3.30.0.rc1
v3.30.0.rc10
v3.30.0.rc12
v3.30.0.rc13
v3.30.0.rc14
v3.30.0.rc15
v3.30.0.rc16
v3.30.0.rc17
v3.30.0.rc18
v3.30.0.rc2
v3.30.0.rc3
v3.30.0.rc4
v3.30.0.rc5
v3.30.0.rc6
v3.30.0.rc7
v3.30.0.rc9
v3.30.1
v3.31.0-rc.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58138.json"