CVE-2025-26074: 
Java vulnerability analysis and mitigation

Orkes Conductor v3.21.11 contains a remote code execution vulnerability (CVE-2025-26074) that allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes. The vulnerability was discovered in January 2025 and affects the core functionality of the workflow orchestration engine (NVD, Medium Blog).

The vulnerability stems from the unsafe use of the Nashorn JavaScript engine without proper restrictions in Conductor's Inline tasks. The flaw occurs when Nashorn is executed without the --no-java flag and no sandboxing or input validation is in place. This allows attackers to inject Java expressions via Inline tasks that can execute arbitrary OS commands. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, Medium Blog).

The vulnerability allows attackers to gain full remote shell access on servers running vulnerable versions of Conductor. Through the exploitation of this vulnerability, attackers can execute arbitrary OS commands with the privileges of the Conductor process, potentially leading to complete system compromise (Medium Blog).

Organizations should immediately upgrade to Conductor version 3.21.13 or later which includes the fix. Additional recommended mitigations include never exposing Conductor OSS to the Internet as it's not designed for public access, and limiting who can define or update workflows. The vulnerability can be prevented by ensuring the Nashorn JavaScript engine is executed with the --no-java flag (Medium Blog).