SpEL Remote Code Execution in Valtimo 12.x-13.23.x (Document, Case, Contract)
CVE-2026-42555 Published on May 14, 2026
Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users
Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.
Vulnerability Analysis
CVE-2026-42555 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-42555 has been classified to as a Code Injection vulnerability or weakness.
Affected Versions
valtimo-platform valtimo:- Version < 13.23.0 is affected.
- Version >= 13.0.0, < 13.23.0 is affected.
- Version >= 13.4.0, < 13.23.0 is affected.
- Version >= 12.0.0, < 12.32.0 is affected.