Orkes · Orkes Conductor · CVE-2026-58138
**Name of the Vulnerable Software and Affected Versions**
Orkes Conductor versions 3.21.21 through 3.30.1
**Description**
An unauthenticated remote code execution issue allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint. This occurs when unsandboxed GraalVM evaluators are configured with `HostAccess.ALL` or `allowAllAccess(true)` through INLINE, LAMBDA, DO WHILE, and SWITCH task types, enabling the invocation of system commands via Java reflection or direct subprocess calls.
**Recommendations**
Update to version 3.30.2 or later.