Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 40 maven packages depend on com.ritense.valtimo:inbox (2 direct, 38 indirect)
Ecosystem-wide dependent count for version 13.0.0.RELEASE.
DescriptionGitHub Advisory
Summary
The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.
Impact
This data is exposed to:
- Anyone with access to application logs (stdout/log files)
- Any Valtimo user with the admin role, through the logging module in the Admin UI
Affected Code
com.ritense.inbox.InboxHandlingService#handle in the inbox module.
Resolution
Fixed in 13.22.0 via commit f16a1940ba (PR #497, tracking issue gzac-issues#653). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.
Mitigation
For versions before 13.22.0, consider:
- Restricting access to application logs
- Adjusting the log level for
com.ritense.inboxto WARN or higher in your application configuration
Analysis
Summary
The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.
Impact
This data is exposed to:
- Anyone with access to application logs (stdout/log files)
- Any Valtimo user with the admin role, through the logging module in the Admin UI
Affected Code
com.ritense.inbox.InboxHandlingService#handle in the inbox module.
Resolution
Fixed in 13.22.0 via commit f16a1940ba (PR #497, tracking issue gzac-issues#653). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.
Mitigation
For versions before 13.22.0, consider:
- Restricting access to application logs
- Adjusting the log level for
com.ritense.inboxto WARN or higher in your application configuration
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23296
GHSA-hfrg-mcvw-8mch