Security Advisory - Published 2026-07-06 - Application Platforms

Application platform batch: check workflow engines, Redis exposure, campaign jobs, and secrets

This batch covers application platforms where workflow execution, Redis-backed state, and campaign operations can affect secrets and business data. Public reachability and administrative logs matter more than broad scanner output.

Defensive scope: check systems you own or are approved to repair. This page stays on inventory, patching, log review, and secret rotation decisions.

Affected CVEs in this batch

CVEProductAffectedReviewCVSS
CVE-2026-48286Adobe Campaign Classic<= 7.4.3 build 9396operator roles, workflow logs, and campaign job activity10.0
CVE-2026-7871IBM Langflow OSS1.0.0 through 1.10.0Redis exposure, application secrets, and flow execution logs9.8
CVE-2026-58138Orkes Conductor3.21.21 before 3.30.2workflow definitions, worker logs, and task execution history9.8

What to check

  • Adobe Campaign Classic version and build, operator role changes, workflow history, and campaign job activity.
  • Orkes Conductor version, externally reachable endpoints, workflow definitions, task logs, and worker execution history.
  • IBM Langflow OSS version, Redis network exposure, stored credentials, flow execution logs, and deployment secrets.
  • Whether any of these platforms can reach production databases, mail systems, customer data, or internal services.

Safe fix path

  1. Patch Adobe Campaign Classic, Orkes Conductor, and IBM Langflow OSS to fixed vendor releases.
  2. Remove public exposure from workflow consoles, Redis, admin endpoints, and non-production deployments.
  3. Preserve workflow, worker, Redis, campaign, and identity logs before cleanup.
  4. Rotate application secrets, Redis credentials, API keys, mail credentials, and downstream tokens if execution integrity is uncertain.

Compromise indicators

  • Workflow definitions, campaign jobs, or flow runs created outside normal operator activity.
  • Redis access from unknown hosts, new keys containing secrets, or unexpected application state changes.
  • Worker logs showing unusual task execution, failed commands, or access to internal services.
  • New operator accounts, changed roles, or exported campaign/customer data without a matching ticket.

When to ask Ping7 for repair

Use Ping7 CVE Repair when a workflow platform is exposed, Redis may have been reachable, secrets need rotation, or you need to review execution logs before restarting jobs.

References