CVE Catalog

CVE-2026-42555

Critical
Published: Translated: NVD NIST

Summary

Valtimo is a business process automation platform with a vulnerability that allows remote code execution and credential exfiltration. Versions from 12.0.0 to before 12.32.0 for com.ritense.valtimo:document and from 13.0.0 to before 13.23.0 for com.ritense.valtimo:case and com.ritense.valtimo:contract are affected.

Risk Assessment

This threat allows an authenticated user with the ADMIN role to execute remote code, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to upgrade to version 2.32.0 for com.ritense.valtimo:document and 13.23.0 for com.ritense.valtimo:case and com.ritense.valtimo:contract to mitigate this vulnerability.

Original NVD description (English source)

Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS