Vulnerability-Lookup

CVE-2026-42555 (GCVE-0-2026-42555)

Vulnerability from cvelistv5 – Published: 2026-05-14 16:45 – Updated: 2026-05-14 18:27

Title

Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users

Summary

Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/valtimo-platform/valtimo/secur…	x_refsource_CONFIRM

Impacted products

4 products

Vendor	Product	Version
valtimo-platform	valtimo	Affected: < 13.23.0
com.ritense.valtimo	case	Affected: >= 13.0.0, < 13.23.0
com.ritense.valtimo	contract	Affected: >= 13.4.0, < 13.23.0
com.ritense.valtimo	document	Affected: >= 12.0.0, < 12.32.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42555",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T18:15:49.269576Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T18:27:58.801Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "valtimo",
          "vendor": "valtimo-platform",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 13.23.0"
            }
          ]
        },
        {
          "product": "case",
          "vendor": "com.ritense.valtimo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 13.0.0, \u003c 13.23.0"
            }
          ]
        },
        {
          "product": "contract",
          "vendor": "com.ritense.valtimo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 13.4.0, \u003c 13.23.0"
            }
          ]
        },
        {
          "product": "document",
          "vendor": "com.ritense.valtimo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 12.0.0, \u003c 12.32.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T16:45:48.718Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh"
        }
      ],
      "source": {
        "advisory": "GHSA-j7j9-5253-f7vh",
        "discovery": "UNKNOWN"
      },
      "title": "Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42555",
    "datePublished": "2026-05-14T16:45:48.718Z",
    "dateReserved": "2026-04-28T16:56:50.191Z",
    "dateUpdated": "2026-05-14T18:27:58.801Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42555",
      "date": "2026-05-26",
      "epss": "0.00305",
      "percentile": "0.53775"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42555\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-14T17:16:21.907\",\"lastModified\":\"2026-05-14T18:13:33.660\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42555\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-14T18:15:49.269576Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-14T18:23:14.660Z\"}}], \"cna\": {\"title\": \"Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users\", \"source\": {\"advisory\": \"GHSA-j7j9-5253-f7vh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"valtimo-platform\", \"product\": \"valtimo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 13.23.0\"}]}, {\"vendor\": \"com.ritense.valtimo\", \"product\": \"case\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 13.0.0, \u003c 13.23.0\"}]}, {\"vendor\": \"com.ritense.valtimo\", \"product\": \"contract\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 13.4.0, \u003c 13.23.0\"}]}, {\"vendor\": \"com.ritense.valtimo\", \"product\": \"document\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 12.0.0, \u003c 12.32.0\"}]}], \"references\": [{\"url\": \"https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh\", \"name\": \"https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-14T16:45:48.718Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42555\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-14T18:27:58.801Z\", \"dateReserved\": \"2026-04-28T16:56:50.191Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-14T16:45:48.718Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-42555

Vulnerability from fkie_nvd - Published: 2026-05-14 17:16 - Updated: 2026-05-14 18:13

Severity

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0."
    }
  ],
  "id": "CVE-2026-42555",
  "lastModified": "2026-05-14T18:13:33.660",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-14T17:16:21.907",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-J7J9-5253-F7VH

Vulnerability from github – Published: 2026-05-06 21:41 – Updated: 2026-05-14 20:52

Summary

Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users

Details

Summary

Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration.

Impact

An attacker with ADMIN credentials can: - Execute arbitrary OS commands via T(java.lang.Runtime).getRuntime().exec('...') - Exfiltrate all environment variables (database passwords, API keys, Keycloak secrets) via T(java.lang.System).getenv() - Read JVM system properties via T(java.lang.System).getProperties() - Load arbitrary classes via T(java.lang.Class).forName('...')

Affected Components

1. DocumentMigrationService (since 12.0.0)

Exploitable through the document migration REST API: - POST /api/management/v1/document-definition/migrate - POST /api/management/v1/document-definition/migration/conflicts

The malicious SpEL expression is supplied in the source or target field of a DocumentMigrationPatch object in the request body, using the ${...} template syntax.

In 12.x: com.ritense.document.service.DocumentMigrationService#handleSpelExpression (document module)
In 13.x: same class, moved to the case module

2. Condition (since 13.4.0)

Exploitable through any admin-configured widget, dashboard, or feature that uses the Condition framework. The SpEL expression is supplied in the value field of a condition's JSON configuration.

com.ritense.valtimo.contract.conditions.Condition#resolveValue (contract module)

This component has a significantly wider attack surface than DocumentMigrationService, as conditions are used across many modules.

Remediation

Replace StandardEvaluationContext with SimpleEvaluationContext in both affected classes, which disallows Java type references and arbitrary method invocation:

val evaluationContext = SimpleEvaluationContext
    .forPropertyAccessors(MapAccessor(), jsonPropertyAccessor)
    .build()

Severity

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.ritense.valtimo:document"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.32.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.ritense.valtimo:case"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.ritense.valtimo:contract"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.4.0"
            },
            {
              "fixed": "13.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42555"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:41:44Z",
    "nvd_published_at": "2026-05-14T17:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nMultiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using `StandardEvaluationContext`, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration.\n\n### Impact\n\nAn attacker with ADMIN credentials can:\n- **Execute arbitrary OS commands** via `T(java.lang.Runtime).getRuntime().exec(\u0027...\u0027)`\n- **Exfiltrate all environment variables** (database passwords, API keys, Keycloak secrets) via `T(java.lang.System).getenv()`\n- **Read JVM system properties** via `T(java.lang.System).getProperties()`\n- **Load arbitrary classes** via `T(java.lang.Class).forName(\u0027...\u0027)`\n\n### Affected Components\n\n**1. DocumentMigrationService** (since 12.0.0)\n\nExploitable through the document migration REST API:\n- `POST /api/management/v1/document-definition/migrate`\n- `POST /api/management/v1/document-definition/migration/conflicts`\n\nThe malicious SpEL expression is supplied in the `source` or `target` field of a `DocumentMigrationPatch` object in the request body, using the `${...}` template syntax.\n\n- In 12.x: `com.ritense.document.service.DocumentMigrationService#handleSpelExpression` (document module)\n- In 13.x: same class, moved to the case module\n\n**2. Condition** (since 13.4.0)\n\nExploitable through any admin-configured widget, dashboard, or feature that uses the `Condition` framework. The SpEL expression is supplied in the `value` field of a condition\u0027s JSON configuration.\n\n- `com.ritense.valtimo.contract.conditions.Condition#resolveValue` (contract module)\n\nThis component has a significantly wider attack surface than DocumentMigrationService, as conditions are used across many modules.\n\n### Remediation\n\nReplace `StandardEvaluationContext` with `SimpleEvaluationContext` in both affected classes, which disallows Java type references and arbitrary method invocation:\n\n```kotlin\nval evaluationContext = SimpleEvaluationContext\n    .forPropertyAccessors(MapAccessor(), jsonPropertyAccessor)\n    .build()\n```",
  "id": "GHSA-j7j9-5253-f7vh",
  "modified": "2026-05-14T20:52:47Z",
  "published": "2026-05-06T21:41:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42555"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/valtimo-platform/valtimo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42555 (GCVE-0-2026-42555)

FKIE_CVE-2026-42555

GHSA-J7J9-5253-F7VH

Summary

Impact

Affected Components

Remediation

Tags

Sightings

Nomenclature