Critical Remote Code Execution Vulnerability in Valtimo Framework Components

EXECUTIVE SUMMARY:

A critical vulnerability has been identified involving improper control of code generation within the application framework, yielding a CVSS score of 9.1. The flaw resides in the use of an unrestricted evaluation context when processing expressions, allowing for the execution of arbitrary logic. Authenticated users with administrative privileges can leverage this weakness to gain unauthorized control over the underlying system. This poses a severe risk to data integrity and system availability, as it enables the execution of operating system commands and the exfiltration of sensitive environment variables.[emaillocker id="1283"]

CVE-2026-42555: This vulnerability involves a code injection flaw within multiple components, including document migration and condition resolution services. By supplying malicious expressions through specific REST API endpoints or configuration fields, an attacker can trigger remote code execution. The impact includes the ability to read system properties, load arbitrary Java classes, and access database credentials or API keys. High-level access is required to facilitate the exploit, but the resulting compromise allows for total system takeover and deep lateral movement within the environment.

Organizations must prioritize the remediation of this flaw to prevent the exposure of critical infrastructure secrets and unauthorized remote command execution. Ensuring that expression evaluation is strictly constrained is essential for maintaining a secure administrative perimeter.

RECOMMENDATION:

• We recommend you to update maven/com.ritense.valtimo:document to version 12.32.0, maven/com.ritense.valtimo:case to version 13.23.0, and maven/com.ritense.valtimo:contract to version 13.23.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-j7j9-5253-f7vh