🚨 BREAKING

CVE-2026-42555: Valtimo RCE Via Spring Expression Language

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-94
CVE-2026-42555: Valtimo RCE Via Spring Expression Language

The National Vulnerability Database has detailed CVE-2026-42555, a critical remote code execution (RCE) vulnerability affecting Valtimo, an open-source business process automation platform. Specifically, the vulnerability resides in the com.ritense.valtimo:document, com.ritense.valtimo:case, and com.ritense.valtimo:contract components across several versions. The core issue is an improper evaluation of Spring Expression Language (SpEL) expressions from user-supplied input.

This flaw allows an authenticated user with ADMIN privileges to achieve RCE and exfiltrate credentials. The use of StandardEvaluationContext provides unrestricted access to Java types and methods, making the SpEL injection highly potent. The National Vulnerability Database assigns this a CVSS score of 9.1 (CRITICAL), underscoring the severe impact.

Patches are available. Valtimo users should prioritize updating com.ritense.valtimo:document to version 2.32.0, com.ritense.valtimo:case to 13.23.0, and com.ritense.valtimo:contract to 13.23.0 immediately. Leaving this unpatched is an open invitation for an insider threat or compromised admin account to completely compromise the system.

What This Means For You

  • If your organization uses Valtimo, immediately identify which versions of `com.ritense.valtimo:document`, `com.ritense.valtimo:case`, and `com.ritense.valtimo:contract` you are running. Prioritize patching to the specified fixed versions. An authenticated ADMIN user can trigger this, meaning a compromised admin account or an insider threat presents a direct path to RCE and credential exfiltration. This is not a theoretical risk; it's a critical operational threat.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1059.003 Windows Command Shell Execution

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-42555: Valtimo SpEL Injection via Document API

Sigma YAML — free preview 
title: CVE-2026-42555: Valtimo SpEL Injection via Document API
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-42555 by sending SpEL expressions via the document API. The pattern specifically looks for the '/api/document/' path and a SpEL payload attempting to execute commands using 'T(java.lang.Runtime).getRuntime().exec('. This is a critical indicator of exploitation for Valtimo instances running affected versions.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42555/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/document/'
      cs-uri-query|contains:
          - 'T(java.lang.Runtime).getRuntime().exec('
      cs-method|exact:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42555 RCE com.ritense.valtimo:document versions 12.0.0 to before 12.32.0
CVE-2026-42555 RCE com.ritense.valtimo:case versions 13.0.0 to before 13.23.0
CVE-2026-42555 RCE com.ritense.valtimo:contract versions 13.4.0 to before 13.23.0
CVE-2026-42555 Code Injection Spring Expression Language (SpEL) evaluation using StandardEvaluationContext with user-supplied input
CVE-2026-42555 Information Disclosure Credential exfiltration via SpEL injection

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-46470 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46470 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-46469 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46469 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-44542: Critical Path Traversal in FileBrowser Quantum

CVE-2026-44542 — FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base...

vulnerabilityCVEcriticalhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 2 Sigma