CVE-2026-42555: CWE-94: Improper Control of Generation of Code ('Code Injection') in valtimo-platform valtimo
CVE-2026-42555 is a critical vulnerability in the open-source valtimo business process automation platform. It affects versions prior to 13. 23. 0 and involves improper control of code generation via Spring Expression Language (SpEL) expressions evaluated from user-supplied input. Authenticated users with ADMIN role privileges can exploit this to achieve remote code execution and credential exfiltration. The vulnerability is fixed in valtimo versions 13. 23. 0 and later.
AI Analysis
Technical Summary
Valtimo versions before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user input using StandardEvaluationContext, which allows unrestricted access to Java types and methods. This improper control of code generation (CWE-94) enables an authenticated ADMIN user to execute arbitrary code remotely and exfiltrate credentials. The issue affects multiple valtimo components including document, case, and contract modules. Official fixes are available starting from valtimo version 13.23.0.
Potential Impact
An attacker with ADMIN privileges can exploit this vulnerability to execute arbitrary code remotely on the affected system and exfiltrate sensitive credentials. This can lead to full system compromise, data breaches, and disruption of business process automation workflows. The CVSS score of 9.1 reflects the critical nature of this vulnerability with high confidentiality, integrity, and availability impacts.
Mitigation Recommendations
This vulnerability is fixed in valtimo versions 13.23.0 and later for the affected components. Users should upgrade to these fixed versions to remediate the issue. Since this is not a cloud service, remediation requires applying the vendor's official patches. Patch status is confirmed by the vendor advisory stating fixes in version 13.23.0 and above.
CVE-2026-42555: CWE-94: Improper Control of Generation of Code ('Code Injection') in valtimo-platform valtimo
Description
CVE-2026-42555 is a critical vulnerability in the open-source valtimo business process automation platform. It affects versions prior to 13. 23. 0 and involves improper control of code generation via Spring Expression Language (SpEL) expressions evaluated from user-supplied input. Authenticated users with ADMIN role privileges can exploit this to achieve remote code execution and credential exfiltration. The vulnerability is fixed in valtimo versions 13. 23. 0 and later.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Valtimo versions before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user input using StandardEvaluationContext, which allows unrestricted access to Java types and methods. This improper control of code generation (CWE-94) enables an authenticated ADMIN user to execute arbitrary code remotely and exfiltrate credentials. The issue affects multiple valtimo components including document, case, and contract modules. Official fixes are available starting from valtimo version 13.23.0.
Potential Impact
An attacker with ADMIN privileges can exploit this vulnerability to execute arbitrary code remotely on the affected system and exfiltrate sensitive credentials. This can lead to full system compromise, data breaches, and disruption of business process automation workflows. The CVSS score of 9.1 reflects the critical nature of this vulnerability with high confidentiality, integrity, and availability impacts.
Mitigation Recommendations
This vulnerability is fixed in valtimo versions 13.23.0 and later for the affected components. Users should upgrade to these fixed versions to remediate the issue. Since this is not a cloud service, remediation requires applying the vendor's official patches. Patch status is confirmed by the vendor advisory stating fixes in version 13.23.0 and above.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-28T16:56:50.191Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a05fd9fec166c07b0f93174
Added to database: 5/14/2026, 4:51:43 PM
Last enriched: 5/14/2026, 5:07:19 PM
Last updated: 5/15/2026, 6:28:48 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.