{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34164", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T20:12:04.197Z", "datePublished": "2026-04-16T21:17:35.472Z", "dateUpdated": "2026-04-16T21:17:35.472Z"}, "containers": {"cna": {"title": "Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-hfrg-mcvw-8mch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-hfrg-mcvw-8mch"}, {"name": "https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653", "tags": ["x_refsource_MISC"], "url": "https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653"}, {"name": "https://github.com/valtimo-platform/valtimo/pull/497", "tags": ["x_refsource_MISC"], "url": "https://github.com/valtimo-platform/valtimo/pull/497"}, {"name": "https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335", "tags": ["x_refsource_MISC"], "url": "https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335"}, {"name": "https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0"}], "affected": [{"vendor": "valtimo-platform", "product": "valtimo", "versions": [{"version": ">= 13.0.0.RELEASE, < 13.22.0.RELEASE", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T21:17:35.472Z"}, "descriptions": [{"lang": "en", "value": "Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to anyone with access to application logs or any Valtimo user with the admin role through the Admin UI logging module. This issue has been fixed in version 13.22.0. If developers are unable to upgrade immediately, they can restrict access to application logs and adjust the log level for com.ritense.inbox to WARN or higher in their application configuration as a workaround."}], "source": {"advisory": "GHSA-hfrg-mcvw-8mch", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to anyone with access to application logs or any Valtimo user with the admin role through the Admin UI logging module. This issue has been fixed in version 13.22.0. If developers are unable to upgrade immediately, they can restrict access to application logs and adjust the log level for com.ritense.inbox to WARN or higher in their application configuration as a workaround."}], "id": "CVE-2026-34164", "lastModified": "2026-04-16T22:16:37.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T22:16:37.757", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653"}, {"source": "security-advisories@github.com", "url": "https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335"}, {"source": "security-advisories@github.com", "url": "https://github.com/valtimo-platform/valtimo/pull/497"}, {"source": "security-advisories@github.com", "url": "https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-hfrg-mcvw-8mch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T02:26:34.967855+00:00", "value": {"mitigation_remediation": ["Upgrade the Valtimo platform to version 13.22.0 or later to eliminate the logging of full inbox messages.", "If an immediate upgrade is not possible, set the log level for the component com.ritense.inbox to WARN or higher in the application configuration to prevent logging of message contents.", "Restrict access to application logs and the Admin UI logging module so that only authorized personnel can view log files."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure via Logging"}, "threat_synthesis": {"affected_systems": "This issue affects the Valtimo platform, specifically versions 13.0.0 through 13.21.0. An update to 13.22.0 fixes the problem, so systems running older releases are vulnerable.", "description_and_impact": "Valtimo is an open\u2011source business process automation platform that, in versions 13.0.0 through 13.21.0, logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information such as personal data, citizen identifiers, and case details. Because the service logs the complete message body, anyone who can read the application logs or a Valtimo user with an admin role who has access to the Admin UI logging module can view that data. The vulnerability originates from insecure logging of sensitive information (CWE\u2011532), allowing disclosure of confidential data.", "risk_and_exploitability": "The CVSS score is 4.9, indicating a moderate severity combined with low impact and limited privilege escalation. EPSS data is not available, but the vulnerability does not require a special environment to exploit; any user or attacker who gains access to application logs or has administrator privileges can read the logged content. Because the vulnerability is an information\u2011leak rather than a direct attack vector, it is not listed in the CISA KEV catalog. Nonetheless, an attacker who can read logs could obtain PII or case details, potentially enabling identity\u2011theft or targeted phishing. Mitigation requires limiting log exposure and updating the vulnerable version."}}}}, "created": "2026-04-17T02:30:07.315397+00:00", "updated": "2026-04-17T02:30:07.315408+00:00", "vendors": []}