CVE-2026-58138: Orkes Conductor unauthenticated RCE via inline script evaluators
CVE-2026-58138 is verified against the affected target vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00236.
pruva-verify REPRO-2026-00236 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00236/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Orkes Conductor OSS before v3.30.2 contains an unauthenticated RCE vulnerability (CVE-2026-58138, CVSS 9.8) where remote attackers submit inline workflow definitions with malicious JavaScript or Python expressions to the workflow API endpoint without authentication. Unsandboxed GraalVM script evaluators configured with HostAccess.ALL or allowAllAccess(true) allow arbitrary OS command execution via Java reflection or direct subprocess calls. Affected task types: INLINE, LAMBDA, DO_WHILE, SWITCH.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.