CVE-2026-42555
Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users
Description
### Summary Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using `StandardEvaluationContext`, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. ### Impact An attacker with ADMIN credentials can: - **Execute arbitrary OS commands** via `T(java.lang.Runtime).getRuntime().exec('...')` - **Exfiltrate all environment variables** (database passwords, API keys, Keycloak secrets) via `T(java.lang.System).getenv()` - **Read JVM system properties** via `T(java.lang.System).getProperties()` - **Load arbitrary classes** via `T(java.lang.Class).forName('...')` ### Affected Components **1. DocumentMigrationService** (since 12.0.0) Exploitable through the document migration REST API: - `POST /api/management/v1/document-definition/migrate` - `POST /api/management/v1/document-definition/migration/conflicts` The malicious SpEL expression is supplied in the `source` or `target` field of a `DocumentMigrationPatch` object in the request body, using the `${...}` template syntax. - In 12.x: `com.ritense.document.service.DocumentMigrationService#handleSpelExpression` (document module) - In 13.x: same class, moved to the case module **2. Condition** (since 13.4.0) Exploitable through any admin-configured widget, dashboard, or feature that uses the `Condition` framework. The SpEL expression is supplied in the `value` field of a condition's JSON configuration. - `com.ritense.valtimo.contract.conditions.Condition#resolveValue` (contract module) This component has a significantly wider attack surface than DocumentMigrationService, as conditions are used across many modules. ### Remediation Replace `StandardEvaluationContext` with `SimpleEvaluationContext` in both affected classes, which disallows Java type references and arbitrary method invocation: ```kotlin val evaluationContext = SimpleEvaluationContext .forPropertyAccessors(MapAccessor(), jsonPropertyAccessor) .build() ```
How to fix CVE-2026-42555
To remediate CVE-2026-42555, upgrade the affected package to a fixed version below.
- —upgrade to 13.23.0 or later
- —upgrade to 13.23.0 or later