External risk intelligence

Orkes Conductor Unauthenticated Remote Code Execution via GraalVM Script Evaluators.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-58138

The vulnerability affects an API endpoint in Orkes Conductor, which is a workflow orchestration platform. These platforms are commonly exposed as internet-facing services or management APIs to facilitate integration with external systems, making the API endpoint a likely target for network-based interaction.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability in Orkes Conductor, a workflow orchestration technology. The flaw allows unauthenticated remote attackers to execute arbitrary operating system commands by submitting malicious code through specific task types in workflow definitions. This could potentially lead to unauthorized system control if not addressed.

  • Unauthenticated remote code execution in workflow tasks.
  • Critical flaw impacts workflow orchestration technology.
  • Assess relevance and exposure of Orkes Conductor.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by interacting with the workflow API endpoint without needing to authenticate. By submitting specially crafted workflow definitions that include malicious JavaScript or Python code, an attacker can leverage unsandboxed GraalVM evaluators to execute arbitrary operating system commands. This could lead to unauthorized access and control over the affected system.

  • No authentication required.
  • Submit malicious expressions via API.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated attackers to execute arbitrary operating system commands on affected systems. This is possible when submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint, which can then leverage unsandboxed GraalVM evaluators to invoke system commands.

  • System commands.
  • Malicious input via API.
  • Arbitrary OS command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Orkes Conductor impacts application and platform teams responsible for workflow orchestration. The immediate first step is to locate all instances of the affected technology, assess their exposure and business criticality, and identify the accountable system owner. Once these factors are understood, a risk-based remediation plan can be developed, potentially involving vendor coordination or temporary mitigation strategies.

  • Identify workflow platform owners.
  • Verify external reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Orkes Conductor?

Orkes Conductor is a workflow orchestration platform used to manage and automate complex distributed tasks across systems. It functions by executing sequences of operations, often involving custom logic written in languages like JavaScript or Python. Because it coordinates various microservices and processes, it acts as a central hub for backend automation, making the security of its workflow API critical to maintaining the integrity of the integrated applications it manages.

What does CVE-2026-58138 mean?

This CVE describes a critical security weakness classified as CWE-94, or Improper Control of Generation of Code. In plain English, the system mistakenly allows untrusted data to be executed as commands. By sending a specially crafted request to the workflow API, an attacker can trick the system into running unauthorized operating system commands instead of just processing the intended workflow tasks.

How can an attacker trigger this vulnerability?

An attacker triggers this by submitting a workflow definition containing malicious code to the API endpoint before logging in. The bug relies on the platform using unsandboxed GraalVM evaluators that have broad access to host system features. If a workflow does not use these specific high-access evaluators or avoids the vulnerable task types like INLINE or LAMBDA, the exploit path is blocked.

Is my instance of Orkes Conductor at risk?

According to Halo Surface Signal, instances that are internet-facing are at the highest risk because the vulnerable API endpoint is easily reachable by remote attackers. You should consider whether your workflow orchestration API is exposed to the public internet or if it is restricted to internal network traffic, as external reachability significantly increases the likelihood of an attacker identifying and targeting the endpoint.

What should I do if I use Orkes Conductor?

The priority is to locate all instances of the software within your infrastructure and identify the specific team responsible for each one. Once identified, verify whether your versions fall within the affected range. Engage with your system owners to assess the business criticality of those workflows and coordinate a move to a patched version or implement protective measures to isolate the API from unauthorized network access.

References