CVE-2026-42555: Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users

May 6, 2026 (updated May 14, 2026)

Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration.

References

github.com/advisories/GHSA-j7j9-5253-f7vh
github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh
nvd.nist.gov/vuln/detail/CVE-2026-42555

Code Behaviors & Features

Detect and mitigate CVE-2026-42555 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →