How is CVE-2026-58138 exploited?

Network reachability (required): The vulnerable workflow API endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the Conductor service from a remote host. Authentication (not-required): No account or credential of any privilege level is needed; the vulnerable endpoint accepts and evaluates inline workflow definitions before any authentication check. Victim interaction (not-required): The attack is entirely server-side; no user action such as clicking a link or opening a file is involved. Attack complexity (info): Exploitation is reliable and condition-free; the attacker simply submits a crafted payload to a publicly reachable API endpoint with no race conditions or environmental dependencies to satisfy.

What is the impact of CVE-2026-58138?

Attacker executes arbitrary OS commands on the Conductor host, gaining full control over the process and its runtime environment. Attacker reads secrets, configuration files, and credentials stored on the host or mounted into the container, including any cloud provider tokens or database passwords accessible to the Conductor process. Attacker modifies or deletes workflow state, task queues, and persisted job data managed by the Conductor instance. Attacker crashes or disables the Conductor service entirely, halting all workflow orchestration for dependent applications.

Back to search

CRITICALCVE-2026-58138Published 2026-06-30Modified 2026-06-30CNA VulnCheck

CVE-2026-58138: Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators

Q: What is CVE-2026-58138?

An unauthenticated remote code execution vulnerability exists in Orkes Conductor versions 3.21.21 through 3.30.2, caused by unsandboxed GraalVM script evaluators that process attacker-supplied JavaScript or Python expressions. The vulnerability is reachable over the network with no authentication required, allowing any remote attacker to reach the workflow API endpoint and submit malicious inline task definitions. Successful exploitation gives the attacker arbitrary OS command execution on the host running Conductor. A patched-image rebuild at version 3.30.2 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-58138 fixed?

A patched-image rebuild targeting Orkes Conductor 3.30.2 becomes available on HarborGuard for any environment where an affected image version is detected. For customers who opt into auto-remediation, HarborGuard triggers an image rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads without manual intervention.

Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. Attackers can exploit unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true) through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands via Java reflection or direct subprocess calls.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 3.30.2
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability exists in Orkes Conductor versions 3.21.21 through 3.30.2, caused by unsandboxed GraalVM script evaluators that process attacker-supplied JavaScript or Python expressions. The vulnerability is reachable over the network with no authentication required, allowing any remote attacker to reach the workflow API endpoint and submit malicious inline task definitions. Successful exploitation gives the attacker arbitrary OS command execution on the host running Conductor. A patched-image rebuild at version 3.30.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-58138 is available across every HarborGuard environment; the CVE is matched against images in customer registries and CI pipelines within minutes of publication, including custom-built images derived from conductor-oss base layers. HarborGuard ingests from upstream advisory feeds continuously, so newly published records like this one become matchable against customer image manifests as soon as they appear.

Available

Triage

HarborGuard scores this CVE at 9.3 Critical under CVSS v4.0 and surfaces it at the top of the affected environment's vulnerability queue automatically. Per-environment compliance policy weighting is applied during triage, and findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting Orkes Conductor 3.30.2 becomes available on HarborGuard for any environment where an affected image version is detected. For customers who opt into auto-remediation, HarborGuard triggers an image rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable workflow API endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the Conductor service from a remote host.
AuthenticationNot required
No account or credential of any privilege level is needed; the vulnerable endpoint accepts and evaluates inline workflow definitions before any authentication check.
Victim interactionNot required
The attack is entirely server-side; no user action such as clicking a link or opening a file is involved.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker simply submits a crafted payload to a publicly reachable API endpoint with no race conditions or environmental dependencies to satisfy.

Blast Radius

Attacker executes arbitrary OS commands on the Conductor host, gaining full control over the process and its runtime environment.
Attacker reads secrets, configuration files, and credentials stored on the host or mounted into the container, including any cloud provider tokens or database passwords accessible to the Conductor process.
Attacker modifies or deletes workflow state, task queues, and persisted job data managed by the Conductor instance.
Attacker crashes or disables the Conductor service entirely, halting all workflow orchestration for dependent applications.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and patched-image rebuild capability for CVE-2026-58138 at Orkes Conductor 3.30.2. Because this is a Critical-severity unauthenticated RCE, images matching the affected version range (3.21.21 to below 3.30.2) are flagged immediately upon scan. For customers who opt into auto-remediation, HarborGuard will rebuild the affected image at 3.30.2, run a regression test suite against the new image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is routed to the designated owner inbox with full CVSS context attached. Until an upgrade can be applied, teams should consider restricting network access to the Conductor workflow API endpoint via Kubernetes NetworkPolicy or equivalent ingress controls to limit exposure to trusted internal callers only.

See how HarborGuard automates this

Fix available

3.30.2

Patch commits

Affected packages

conductor-oss / conductor
< 3.30.2 (from 3.21.21)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available