Description
Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to anyone with access to application logs or any Valtimo user with the admin role through the Admin UI logging module. This issue has been fixed in version 13.22.0. If developers are unable to upgrade immediately, they can restrict access to application logs and adjust the log level for com.ritense.inbox to WARN or higher in their application configuration as a workaround.
Published: 2026-04-16
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure via Logging
Action: Apply Patch
AI Analysis

Impact

Valtimo is an open‑source business process automation platform that, in versions 13.0.0 through 13.21.0, logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information such as personal data, citizen identifiers, and case details. Because the service logs the complete message body, anyone who can read the application logs or a Valtimo user with an admin role who has access to the Admin UI logging module can view that data. The vulnerability originates from insecure logging of sensitive information (CWE‑532), allowing disclosure of confidential data.

Affected Systems

This issue affects the Valtimo platform, specifically versions 13.0.0 through 13.21.0. An update to 13.22.0 fixes the problem, so systems running older releases are vulnerable.

Risk and Exploitability

The CVSS score is 4.9, indicating a moderate severity combined with low impact and limited privilege escalation. EPSS data is not available, but the vulnerability does not require a special environment to exploit; any user or attacker who gains access to application logs or has administrator privileges can read the logged content. Because the vulnerability is an information‑leak rather than a direct attack vector, it is not listed in the CISA KEV catalog. Nonetheless, an attacker who can read logs could obtain PII or case details, potentially enabling identity‑theft or targeted phishing. Mitigation requires limiting log exposure and updating the vulnerable version.

Generated by OpenCVE AI on April 17, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Valtimo platform to version 13.22.0 or later to eliminate the logging of full inbox messages.
  • If an immediate upgrade is not possible, set the log level for the component com.ritense.inbox to WARN or higher in the application configuration to prevent logging of message contents.
  • Restrict access to application logs and the Admin UI logging module so that only authorized personnel can view log files.

Generated by OpenCVE AI on April 17, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hfrg-mcvw-8mch Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService
History

Sat, 18 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Valtimo-platform
Valtimo-platform valtimo
Vendors & Products Valtimo-platform
Valtimo-platform valtimo

Thu, 16 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to anyone with access to application logs or any Valtimo user with the admin role through the Admin UI logging module. This issue has been fixed in version 13.22.0. If developers are unable to upgrade immediately, they can restrict access to application logs and adjust the log level for com.ritense.inbox to WARN or higher in their application configuration as a workaround.
Title Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Valtimo-platform Valtimo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T02:44:44.369Z

Reserved: 2026-03-25T20:12:04.197Z

Link: CVE-2026-34164

cve-icon Vulnrichment

Updated: 2026-04-18T02:44:37.749Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T22:16:37.757

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-34164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:27Z

Weaknesses