Skip to main content

EUVDEUVD-2026-23296

| CVE-2026-34164 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-04-16 https://github.com/valtimo-platform/valtimo GHSA-hfrg-mcvw-8mch
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 16, 2026 - 21:15 euvd
EUVD-2026-23296
Patch released
Apr 16, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 16, 2026 - 20:42 nvd
MEDIUM 4.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 40 maven packages depend on com.ritense.valtimo:inbox (2 direct, 38 indirect)

Ecosystem-wide dependent count for version 13.0.0.RELEASE.

DescriptionGitHub Advisory

Summary

The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.

Impact

This data is exposed to:

  • Anyone with access to application logs (stdout/log files)
  • Any Valtimo user with the admin role, through the logging module in the Admin UI

Affected Code

com.ritense.inbox.InboxHandlingService#handle in the inbox module.

Resolution

Fixed in 13.22.0 via commit f16a1940ba (PR #497, tracking issue gzac-issues#653). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.

Mitigation

For versions before 13.22.0, consider:

  • Restricting access to application logs
  • Adjusting the log level for com.ritense.inbox to WARN or higher in your application configuration

Analysis

Summary

The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.

Impact

This data is exposed to:

  • Anyone with access to application logs (stdout/log files)
  • Any Valtimo user with the admin role, through the logging module in the Admin UI

Affected Code

com.ritense.inbox.InboxHandlingService#handle in the inbox module.

Resolution

Fixed in 13.22.0 via commit f16a1940ba (PR #497, tracking issue gzac-issues#653). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.

Mitigation

For versions before 13.22.0, consider:

  • Restricting access to application logs
  • Adjusting the log level for com.ritense.inbox to WARN or higher in your application configuration

Share

EUVD-2026-23296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy