CVE-2025-48881

Name of the Vulnerable Software and Affected Versions Valtimo versions 11.0.0.RELEASE through 11.3.3.RELEASE Valtimo versions 12.0.0.RELEASE through 12.12.0.RELEASE

Description The issue allows unauthorized users to list, view, edit, create, or delete objects for which an object-management configuration exists. If object URLs are exposed through other channels, the contents of these objects can be viewed independently of object-management configurations. There are no known patches at the time of publication.

Recommendations For Valtimo versions 11.0.0.RELEASE through 11.3.3.RELEASE, override the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer to mitigate the issue, noting that this may result in loss of functionality. For Valtimo versions 12.0.0.RELEASE through 12.12.0.RELEASE, override the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer to mitigate the issue, noting that this may result in loss of functionality.