Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users

GHSA-j7j9-5253-f7vh · CVE-2026-42555

Published May 6, 2026 · Modified May 14, 2026

Description

Summary

Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration.

Impact

An attacker with ADMIN credentials can:

Execute arbitrary OS commands via T(java.lang.Runtime).getRuntime().exec('...')
Exfiltrate all environment variables (database passwords, API keys, Keycloak secrets) via T(java.lang.System).getenv()
Read JVM system properties via T(java.lang.System).getProperties()
Load arbitrary classes via T(java.lang.Class).forName('...')

Affected Components

1. DocumentMigrationService (since 12.0.0)

Exploitable through the document migration REST API:

POST /api/management/v1/document-definition/migrate
POST /api/management/v1/document-definition/migration/conflicts

The malicious SpEL expression is supplied in the source or target field of a DocumentMigrationPatch object in the request body, using the ${...} template syntax.

In 12.x: com.ritense.document.service.DocumentMigrationService#handleSpelExpression (document module)
In 13.x: same class, moved to the case module

2. Condition (since 13.4.0)

Exploitable through any admin-configured widget, dashboard, or feature that uses the Condition framework. The SpEL expression is supplied in the value field of a condition's JSON configuration.

com.ritense.valtimo.contract.conditions.Condition#resolveValue (contract module)

This component has a significantly wider attack surface than DocumentMigrationService, as conditions are used across many modules.

Remediation

Replace StandardEvaluationContext with SimpleEvaluationContext in both affected classes, which disallows Java type references and arbitrary method invocation:

val evaluationContext = SimpleEvaluationContext
    .forPropertyAccessors(MapAccessor(), jsonPropertyAccessor)
    .build()

References

9.1 / 10

CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Packages

Maven/com.ritense.valtimo:case

Fix 13.23.0

Introduced 13.0.0

33 affected versions

13.0.0.RELEASE13.0.1.RELEASE13.0.2.RELEASE13.1.0.RELEASE13.1.1.RELEASE13.1.2.RELEASE13.1.3.RELEASE13.10.0.RELEASE13.11.0.RELEASE13.12.0.RELEASE13.13.0.RELEASE13.14.0.RELEASE13.15.0.RELEASE13.16.0.RELEASE13.17.0.RELEASE13.17.1.RELEASE13.18.0.RELEASE13.19.0.RELEASE13.2.0.RELEASE13.2.1.RELEASE +13 more

Maven/com.ritense.valtimo:contract

Fix 13.23.0

Introduced 13.4.0

23 affected versions

13.10.0.RELEASE13.11.0.RELEASE13.12.0.RELEASE13.13.0.RELEASE13.14.0.RELEASE13.15.0.RELEASE13.16.0.RELEASE13.17.0.RELEASE13.17.1.RELEASE13.18.0.RELEASE13.19.0.RELEASE13.20.0.RELEASE13.21.0.RELEASE13.22.0.RELEASE13.4.0.RELEASE13.4.1.RELEASE13.5.0.RELEASE13.5.1.RELEASE13.6.0.RELEASE13.7.0.RELEASE +3 more

Maven/com.ritense.valtimo:document

Fix 12.32.0

Introduced 12.0.0

55 affected versions

12.0.0.RELEASE12.0.1.RELEASE12.1.0.RELEASE12.1.1.RELEASE12.1.2.RELEASE12.1.3.RELEASE12.10.0.RELEASE12.10.1.RELEASE12.10.2.RELEASE12.11.0.RELEASE12.12.0.RELEASE12.13.0.RELEASE12.13.1.RELEASE12.14.0.RELEASE12.14.1.RELEASE12.15.1.RELEASE12.16.0.RELEASE12.16.1.RELEASE12.17.0.RELEASE12.17.1.RELEASE +35 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes