Security Advisory - Published 2026-07-06 - Application Platforms
Application platform batch: check workflow engines, Redis exposure, campaign jobs, and secrets
This batch covers application platforms where workflow execution, Redis-backed state, and campaign operations can affect secrets and business data. Public reachability and administrative logs matter more than broad scanner output.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-48286 | Adobe Campaign Classic | <= 7.4.3 build 9396 | operator roles, workflow logs, and campaign job activity | 10.0 |
| CVE-2026-7871 | IBM Langflow OSS | 1.0.0 through 1.10.0 | Redis exposure, application secrets, and flow execution logs | 9.8 |
| CVE-2026-58138 | Orkes Conductor | 3.21.21 before 3.30.2 | workflow definitions, worker logs, and task execution history | 9.8 |
What to check
- Adobe Campaign Classic version and build, operator role changes, workflow history, and campaign job activity.
- Orkes Conductor version, externally reachable endpoints, workflow definitions, task logs, and worker execution history.
- IBM Langflow OSS version, Redis network exposure, stored credentials, flow execution logs, and deployment secrets.
- Whether any of these platforms can reach production databases, mail systems, customer data, or internal services.
Safe fix path
- Patch Adobe Campaign Classic, Orkes Conductor, and IBM Langflow OSS to fixed vendor releases.
- Remove public exposure from workflow consoles, Redis, admin endpoints, and non-production deployments.
- Preserve workflow, worker, Redis, campaign, and identity logs before cleanup.
- Rotate application secrets, Redis credentials, API keys, mail credentials, and downstream tokens if execution integrity is uncertain.
Compromise indicators
- Workflow definitions, campaign jobs, or flow runs created outside normal operator activity.
- Redis access from unknown hosts, new keys containing secrets, or unexpected application state changes.
- Worker logs showing unusual task execution, failed commands, or access to internal services.
- New operator accounts, changed roles, or exported campaign/customer data without a matching ticket.
When to ask Ping7 for repair
Use Ping7 CVE Repair when a workflow platform is exposed, Redis may have been reachable, secrets need rotation, or you need to review execution logs before restarting jobs.