EUVD-2026-23296
GHSA-hfrg-mcvw-8mch
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Blast Radius
ecosystem impact- 40 maven packages depend on com.ritense.valtimo:inbox (2 direct, 38 indirect)
Ecosystem-wide dependent count for version 13.0.0.RELEASE.
DescriptionNVD
Summary
The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.
Impact
This data is exposed to:
- Anyone with access to application logs (stdout/log files)
- Any Valtimo user with the admin role, through the logging module in the Admin UI
Affected Code
com.ritense.inbox.InboxHandlingService#handle in the inbox module.
Resolution
Fixed in 13.22.0 via commit f16a1940ba (PR #497, tracking issue gzac-issues#653). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.
Mitigation
For versions before 13.22.0, consider:
- Restricting access to application logs
- Adjusting the log level for
com.ritense.inboxto WARN or higher in your application configuration
AnalysisAI
The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today