PT-2026-38275 · Ritense · Valtimo Case+2
Theo-Ritense
·
Published
2026-05-06
·
Updated
2026-05-14
·
CVE-2026-42555
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
com.ritense.valtimo:document versions 12.0.0 through 12.31.0
com.ritense.valtimo:case versions 13.0.0 through 13.22.0
com.ritense.valtimo:contract versions 13.4.0 through 13.22.0
Description
Valtimo is an open-source business process automation platform. The software evaluates Spring Expression Language (SpEL) expressions from user-supplied input using
StandardEvaluationContext, which allows unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration.Technical details include:
- The
DocumentMigrationServiceis exploitable via the endpoints "/api/management/v1/document-definition/migrate" and "/api/management/v1/document-definition/migration/conflicts" through thesourceortargetfields of aDocumentMigrationPatchobject. This involves thehandleSpelExpression()function. - The
Conditionframework is exploitable through thevaluefield of a condition's JSON configuration in admin-configured widgets, dashboards, or features, involving theresolveValue()function.
Recommendations
Update com.ritense.valtimo:document to version 12.32.0.
Update com.ritense.valtimo:case to version 13.23.0.
Update com.ritense.valtimo:contract to version 13.23.0.
As a temporary mitigation, replace
StandardEvaluationContext with SimpleEvaluationContext in the affected classes to disallow Java type references and arbitrary method invocation.Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Valtimo Case
Valtimo Contract
Valtimo Document