Skip to main content

Valtimo CVE-2026-42555

| EUVDEUVD-2026-30336 CRITICAL
Code Injection (CWE-94)
2026-05-06 https://github.com/valtimo-platform/valtimo GHSA-j7j9-5253-f7vh
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 22:37 vuln.today
Analysis Generated
May 06, 2026 - 22:37 vuln.today
CVE Published
May 06, 2026 - 21:41 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Summary

Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration.

Impact

An attacker with ADMIN credentials can:

  • Execute arbitrary OS commands via T(java.lang.Runtime).getRuntime().exec('...')
  • Exfiltrate all environment variables (database passwords, API keys, Keycloak secrets) via T(java.lang.System).getenv()
  • Read JVM system properties via T(java.lang.System).getProperties()
  • Load arbitrary classes via T(java.lang.Class).forName('...')

Affected Components

1. DocumentMigrationService (since 12.0.0)

Exploitable through the document migration REST API:

  • POST /api/management/v1/document-definition/migrate
  • POST /api/management/v1/document-definition/migration/conflicts

The malicious SpEL expression is supplied in the source or target field of a DocumentMigrationPatch object in the request body, using the ${...} template syntax.

  • In 12.x: com.ritense.document.service.DocumentMigrationService#handleSpelExpression (document module)
  • In 13.x: same class, moved to the case module

2. Condition (since 13.4.0)

Exploitable through any admin-configured widget, dashboard, or feature that uses the Condition framework. The SpEL expression is supplied in the value field of a condition's JSON configuration.

  • com.ritense.valtimo.contract.conditions.Condition#resolveValue (contract module)

This component has a significantly wider attack surface than DocumentMigrationService, as conditions are used across many modules.

Remediation

Replace StandardEvaluationContext with SimpleEvaluationContext in both affected classes, which disallows Java type references and arbitrary method invocation:

kotlin
val evaluationContext = SimpleEvaluationContext
    .forPropertyAccessors(MapAccessor(), jsonPropertyAccessor)
    .build()

AnalysisAI

Spring Expression Language injection in Valtimo (open-source business process platform) allows authenticated ADMIN users to execute arbitrary OS commands and exfiltrate credentials. The vulnerability exists in DocumentMigrationService (versions 12.0.0-12.31.0 and 13.0.0-13.22.0) and the Condition framework (13.4.0-13.22.0), both of which use StandardEvaluationContext to evaluate user-supplied SpEL expressions without restrictions. Attackers can invoke Runtime.exec(), access environment variables containing database passwords and API keys, and load arbitrary Java classes. Vendor-released patches are available (12.32.0, 13.23.0). No public exploit identified at time of analysis, EPSS data not available.

Technical ContextAI

Spring Expression Language (SpEL) is a powerful expression language in the Spring Framework that supports querying and manipulating object graphs at runtime. The vulnerability stems from using StandardEvaluationContext instead of SimpleEvaluationContext when evaluating SpEL expressions. StandardEvaluationContext provides full access to the Java type system through the T(...) operator, enabling reflection-based attacks. The affected Valtimo components (DocumentMigrationService in document/case modules and Condition in contract module) accept SpEL expressions in ${...} template syntax from REST API requests (document migration endpoints) and JSON configuration (condition framework). CWE-94 (Code Injection) correctly classifies this as arbitrary code execution through unsafe evaluation of user-controlled expressions. The CPE identifiers pkg:maven/com.ritense.valtimo:document, pkg:maven/com.ritense.valtimo:case, and pkg:maven/com.ritense.valtimo:contract pinpoint the exact Maven artifacts affected across Valtimo's modular architecture.

RemediationAI

Upgrade to patched versions immediately: Valtimo 12.32.0 for 12.x deployments or Valtimo 13.23.0 for 13.x deployments. The vendor has replaced StandardEvaluationContext with SimpleEvaluationContext in both DocumentMigrationService and Condition classes, which disallows Java type references and arbitrary method invocation while preserving property access functionality. Upgrade instructions and release artifacts available at https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh. If immediate patching is not feasible, implement compensating controls: (1) Audit and restrict ADMIN role assignments to minimum necessary personnel with background checks and periodic access reviews - this reduces the threat actor pool but does not eliminate risk from compromised accounts or malicious insiders; (2) Monitor and alert on POST requests to /api/management/v1/document-definition/migrate and /api/management/v1/document-definition/migration/conflicts endpoints for unusual patterns or ${T(...)} syntax in request bodies; (3) Enable application-level logging of SpEL expression evaluation attempts and integrate with SIEM; (4) Deploy runtime application self-protection (RASP) or web application firewall rules to detect T(java.lang.Runtime) and similar reflection patterns in POST body content - note this may cause false positives and requires tuning. These mitigations reduce but do not eliminate exploitation risk and should be treated as temporary measures pending upgrade. Code review of custom Valtimo extensions is recommended to ensure no additional StandardEvaluationContext usage exists.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-42555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy