{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/valtimo-contract-module/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Valtimo document module","Valtimo case module","Valtimo contract module"],"_cs_severities":["critical"],"_cs_tags":["spel-injection","rce","valtimo"],"_cs_type":"advisory","_cs_vendors":["Ritense"],"content_html":"\u003cp\u003eValtimo, a low-code application development platform, is susceptible to Spring Expression Language (SpEL) injection due to the usage of \u003ccode\u003eStandardEvaluationContext\u003c/code\u003e in multiple classes. This vulnerability, affecting versions 12.0.0 through 13.22.0, allows authenticated users with administrative privileges to inject arbitrary SpEL expressions, leading to remote code execution (RCE). The vulnerability is present in the document migration service (versions 12.0.0-12.31.0) and within the condition framework (versions 13.4.0-13.22.0), which is used across multiple modules in later versions. An attacker leveraging this vulnerability can execute arbitrary OS commands, exfiltrate environment variables containing sensitive information, read JVM system properties, and load arbitrary classes, impacting the confidentiality, integrity, and availability of the Valtimo platform.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Valtimo platform with administrative credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SpEL expression, embedding OS commands within the expression (e.g., \u003ccode\u003eT(java.lang.Runtime).getRuntime().exec('...')\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eFor DocumentMigrationService (versions 12.0.0-12.31.0), the attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/management/v1/document-definition/migrate\u003c/code\u003e or \u003ccode\u003e/api/management/v1/document-definition/migration/conflicts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious SpEL expression is injected via the \u003ccode\u003esource\u003c/code\u003e or \u003ccode\u003etarget\u003c/code\u003e field of a \u003ccode\u003eDocumentMigrationPatch\u003c/code\u003e object in the request body, using the \u003ccode\u003e${...}\u003c/code\u003e template syntax.\u003c/li\u003e\n\u003cli\u003eFor Condition framework (versions 13.4.0-13.22.0), the attacker configures a widget, dashboard, or feature that uses the \u003ccode\u003eCondition\u003c/code\u003e framework, injecting the SpEL expression in the \u003ccode\u003evalue\u003c/code\u003e field of a condition\u0026rsquo;s JSON configuration.\u003c/li\u003e\n\u003cli\u003eThe application processes the request containing the malicious SpEL expression using the vulnerable \u003ccode\u003eStandardEvaluationContext\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected SpEL expression is evaluated, leading to the execution of arbitrary OS commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially gaining complete control over the Valtimo platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with administrative privileges to execute arbitrary OS commands on the Valtimo server. This can lead to complete system compromise, including the exfiltration of sensitive data like database passwords, API keys, and Keycloak secrets stored as environment variables. The vulnerability affects Valtimo instances running versions 12.0.0-12.31.0 (document module) and 13.4.0-13.22.0 (condition framework). A successful attack can result in significant data breaches, service disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Valtimo document module to version 12.32.0 or later to remediate the vulnerability in DocumentMigrationService.\u003c/li\u003e\n\u003cli\u003eUpgrade Valtimo case and contract modules to version 13.23.0 or later to remediate the vulnerability in the Condition framework.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Valtimo SpEL Injection via Document Migration\u0026rdquo; to detect attempts to exploit the DocumentMigrationService vulnerability via suspicious POST requests to the API endpoints.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture POST request data, which is necessary to identify potentially malicious SpEL expressions being sent to the affected endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T12:00:00Z","date_published":"2026-05-07T12:00:00Z","id":"/briefs/2026-05-valtimo-spel/","summary":"Valtimo is vulnerable to SpEL injection via StandardEvaluationContext, which allows Remote Code Execution by admin users who can execute arbitrary OS commands and exfiltrate sensitive information.","title":"Valtimo SpEL Injection Vulnerability Allows Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-valtimo-spel/"}],"language":"en","title":"CraftedSignal Threat Feed — Valtimo Contract Module","version":"https://jsonfeed.org/version/1.1"}