Skip to content
Verified reproduction

CVE-2026-58138: Orkes Conductor unauthenticated RCE via inline script evaluators

CVE-2026-58138 is verified against the affected target vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00236.

REPRO-2026-00236 RCE Variant found Jul 6, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 24m 53s
Tool calls 258
Spend $3.95
$ pruva-verify REPRO-2026-00236
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00236/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Orkes Conductor OSS before v3.30.2 contains an unauthenticated RCE vulnerability (CVE-2026-58138, CVSS 9.8) where remote attackers submit inline workflow definitions with malicious JavaScript or Python expressions to the workflow API endpoint without authentication. Unsandboxed GraalVM script evaluators configured with HostAccess.ALL or allowAllAccess(true) allow arbitrary OS command execution via Java reflection or direct subprocess calls. Affected task types: INLINE, LAMBDA, DO_WHILE, SWITCH.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.