Description
Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.
Published: 2026-05-14
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated Admin user to inject arbitrary Spring Expression Language (SpEL) code through user‑supplied input that is processed by the StandardEvaluationContext. This unrestricted evaluation enables execution of Java methods and classes, giving the attacker full control of the application, the ability to exfiltrate credentials, and the ability to perform other malicious actions at the level of the running process. This is a CWE-94: Improper Control of Generation of Code (Code Injection) vulnerability.

Affected Systems

The affected components are com.ritense.valtimo:document versions 12.0.0 through 12.31.99, com.ritense.valtimo:case versions 13.0.0 through 13.22.99, and com.ritense.valtimo:contract versions 13.4.0 through 13.22.99. These are part of the Valtimo open‑source business process automation platform.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity impact. EPSS data is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in CISA’s KEV catalog. Because the flaw requires an authenticated user with the ADMIN role, the attack vector is likely limited to environments where such privileges exist, but the impact of exploitation remains severe.

Generated by OpenCVE AI on May 14, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade com.ritense.valtimo:document to version 2.32.0, com.ritense.valtimo:case to 13.23.0, and com.ritense.valtimo:contract to 13.23.0, the officially released patches that eliminate the insecure SpEL evaluation.
  • Limit the use of StandardEvaluationContext for user-supplied data, or replace it with a safer expression evaluator that does not expose unrestricted Java types.
  • Apply least‑privilege principles to ADMIN accounts, restricting them to only the necessary functions, and monitor administrative actions for anomalous SpEL activity.

Generated by OpenCVE AI on May 14, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j7j9-5253-f7vh Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users
History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Com.ritense.valtimo
Com.ritense.valtimo case
Com.ritense.valtimo contract
Com.ritense.valtimo document
Valtimo-platform
Valtimo-platform valtimo
Vendors & Products Com.ritense.valtimo
Com.ritense.valtimo case
Com.ritense.valtimo contract
Com.ritense.valtimo document
Valtimo-platform
Valtimo-platform valtimo

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.
Title Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Com.ritense.valtimo Case Contract Document
Valtimo-platform Valtimo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:27:58.801Z

Reserved: 2026-04-28T16:56:50.191Z

Link: CVE-2026-42555

cve-icon Vulnrichment

Updated: 2026-05-14T18:23:14.660Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T17:16:21.907

Modified: 2026-05-14T18:13:33.660

Link: CVE-2026-42555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:09:09Z

Weaknesses