Unauthenticated RCE in Netflix/Orkes Conductor (CVE-2026-58138): Patch to 3.30.2 Now

A critical flaw has been found in Conductor (formerly Netflix Conductor), software widely used as a "workflow platform" that chains many steps together and runs them automatically. Just by sending a crafted workflow definition to the server, an attacker can run any command on it before passing authentication. The flaw is tracked as CVE-2026-58138, rated 9.8 out of 10 (CVSS v3.1), among the highest possible. It was recorded in the U.S. National Vulnerability Database (NVD) dated June 30, 2026.

The most dangerous part is that the attack requires no login. A feature that should only be reachable by authenticated, legitimate users can be abused before authentication. The fixed version 3.30.2 is already available. Conductor runs behind the scenes of many companies' systems as open-source software, so any organization running an affected version where it's reachable from outside should act now.

* A "workflow definition" is like a blueprint that says which steps run in what order. Conductor takes this blueprint and carries out the steps as written.

Who is at risk, and what is the damage?

The ones who go after this are attackers scanning the internet for exposed Conductor APIs. An API is the window through which programs talk to each other. Because Conductor runs on requests from other systems, that window is sometimes reachable from outside. Attackers scan servers worldwide and target any public window where Conductor responds. Since this flaw needs no login, any server they can reach becomes a target.

What the attacker does is simply send a workflow definition laced with commands to the pre-authentication API. Conductor lets you embed short programs (calculations or conditional logic) inside a workflow — normally a useful feature. But this mechanism is not safely isolated, so the server runs the commands the attacker slipped in. Once a command gets through, more programs can be pushed in one after another.

Once arbitrary commands can run, the server is effectively taken over. Conductor often sits at the hub that coordinates business processing, where data and connection details to other systems tend to gather. Seize that, and the damage spreads fast: data theft, a foothold into other systems, even planting ransomware. The direct target is the company operating Conductor, but the ones ultimately affected are the ordinary users of the services beyond it. In the sense that the hub holding your information is what gets hit, this is not only the operators' problem.

What Conductor is, and why it concerns so many organizations

Conductor is foundational software (a workflow orchestration platform) for automatically running many steps "first this, then that," following an order and conditions. It was originally built and open-sourced in-house by the video service Netflix, and development is now carried on by a community centered on the company Orkes (conductor-oss). It's used wherever multiple tasks must be chained reliably — order processing, data aggregation, linking AI steps — and is valued for handling large volumes of processing stably.

Its hallmark is that it is invisible from the front yet sits at the center of the business flow. Rather than a screen users touch directly, it plays the "conductor" role that links processing behind the scenes. That's exactly why a takeover here doesn't stop at a single service. Note that Conductor has had a prior flaw of the same kind — a program embedded in a workflow not being safely isolated and able to run commands (CVE-2025-26074). This is a new flaw in that lineage, meaning a similar weakness lingered in a different form.

Why does merely sending a definition run commands?

Technically this flaw is a type called code injection (CWE-94): slipping commands into input that should be treated as mere data, and getting the program to execute them by mistake.

A Conductor workflow has a mechanism to embed short JavaScript or Python expressions for simple calculations or conditional decisions mid-process. These expressions are evaluated by the GraalVM execution engine, but according to the NVD writeup, that evaluation was not safely isolated (sandboxed). As a result, an expression can reach deep language features (Java reflection, or calls that launch another program) and ultimately run commands against the server's OS. Specifically, abuse paths have been confirmed in task types such as INLINE, LAMBDA, DO_WHILE, and SWITCH.

Worse, this abuse works before authentication (pre-auth). The attacker doesn't even need a legitimate account; sending a crafted definition to the workflow-accepting API is enough. That's why the severity is rated at the top tier of 9.8. The same shape — "a platform that automatically chains business processes, taken over without authentication" — has happened in other products too. The Kestra flaw (CVE-2026-53576) we covered earlier was the same weakness of allowing serious actions before authentication. These platforms hold strong privileges in exchange for their convenience, so weak guarding at the entrance tends to magnify the damage.

Is my server at risk? A quick situation chart

Your risk depends heavily on whether your version is in scope and whether your workflow API is reachable from outside. Match your situation against the chart.

* In scope is Conductor (conductor-oss) from 3.21.21 up to before 3.30.2. You can check your version from the running Conductor's info. If you use the commercial edition from Orkes, also check the vendor's guidance.

What you should do now

The top priority is to update to the fixed version, Conductor 3.30.2 or later, immediately. This flaw is fixed in that release. Get the latest version from the conductor-oss releases page and apply it. Flaws that allow unauthenticated takeover are hunted automatically right after disclosure, so this is a "do it now," not a "at the next scheduled maintenance" matter.

If you genuinely cannot update right away, consider a stopgap of making the workflow-accepting API unreachable directly from the internet. If it doesn't need to be public, keep it on the internal network; if it does, restrict source addresses and place a defense in front to narrow the attack surface. In particular, if you accept workflow definitions from untrusted external parties, temporarily stopping that path is worth considering.

Also check whether you have already been breached. Look for workflows you don't recognize, suspicious process launches, or outbound traffic in the logs. Conductor has had flaws of the same kind before, so attackers have accumulated know-how against it. It's safest to prepare on the assumption that abuse will spread this time too. As of this article, we have not confirmed any public report (such as a listing in the U.S. CISA Known Exploited Vulnerabilities catalog, KEV) of real-world exploitation, but the situation can change, so check official sources regularly.

Frequently asked questions

Summary

CVE-2026-58138 is a flaw in Conductor, the platform that automatically chains business processes: a program embedded in a workflow is not safely isolated, and it can be abused before authentication. By merely sending a crafted workflow definition to the API, an attacker can run any command on the server without logging in, opening the door to data theft and a foothold into other systems. The severity is rated at the top tier of 9.8.

The fix is clear: update to Conductor 3.30.2 or later immediately. If that's not possible right away, buy time by making the workflow API unreachable from outside, and check whether you've already been breached. For a platform that runs the hub of your business, "it's running, so it's fine" is exactly the trap — acting now is what prevents the damage.

References

• ・NVD — CVE-2026-58138
• ・conductor-oss/conductor (official repository, GitHub)
• ・Conductor releases (fixed version 3.30.2)
• ・NVD — CVE-2025-26074 (a prior flaw of the same kind in Conductor)
• ・Orkes (company leading Conductor development)
• ・MITRE — CWE-94 (Code Injection)