Skip to main content

Valtimo EUVDEUVD-2026-30335

| CVE-2026-44516 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-11 https://github.com/valtimo-platform/valtimo GHSA-3jh5-rr2q-xfv7
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:30 vuln.today
Analysis Generated
May 11, 2026 - 16:30 vuln.today
CVE Published
May 11, 2026 - 16:11 nvd
HIGH 7.6

DescriptionGitHub Advisory

Summary

The LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown HttpClientErrorException message, which is logged at ERROR level by Spring's default exception handling - regardless of the application's DEBUG log level setting.

Impact

The logged data can contain highly sensitive information including:

  • Authentication credentials (JWT tokens, API keys, OAuth tokens) in request bodies or response headers
  • Personal data (BSN, email addresses, case details) in request/response bodies
  • Session tokens in Set-Cookie response headers

This data is exposed to:

  • Anyone with access to application logs (stdout/log files)
  • Users with access to logging aggregation tools (e.g. Grafana/Loki)
  • Any Valtimo user with the admin role, through the built-in logging module (since Valtimo 12.5.0)

Leaked authentication credentials could be used to impersonate the Valtimo application against the target external API (e.g. ZGW services), compromising that API's security boundary.

Related: GHSA-hfrg-mcvw-8mch (similar sensitive data exposure in InboxHandlingService)

Affected Code

com.ritense.valtimo.web.logging.LoggingRestClientCustomizer#intercept in the web module.

Patched Versions

The vulnerability is fixed in:

  • 12.33.0 (v12 release line) - see PR #600
  • 13.26.0 (v13 release line) - see PR #599

The fix removes the request/response report, headers, and response body from the HttpClientErrorException constructor; only the HTTP status code and status text remain. The full request/response report is still emitted at DEBUG level (disabled in production).

Mitigation

If you cannot upgrade to a patched version immediately, consider:

  • Restricting access to application logs and the Valtimo logging module
  • Adjusting the log level for com.ritense.valtimo.web.logging to WARN or higher (note: this only mitigates the DEBUG logging path; error responses still leak data via the exception message)

AnalysisAI

Sensitive credentials and personal data leak through production error logs in Valtimo's web module via LoggingRestClientCustomizer. The component intercepts all outgoing Spring RestClient HTTP calls and includes full request/response bodies and headers in HttpClientErrorException messages logged at ERROR level, exposing JWT tokens, API keys, OAuth tokens, session cookies, and personal data (BSN numbers, case details) to anyone with log access or Valtimo admin role. Vendor-released patches available for both affected release lines (12.33.0 and 13.26.0). No public exploit identified at time of analysis, but exploitation requires only privileged access to logs rather than technical exploitation of a code vulnerability.

Technical ContextAI

The vulnerability resides in com.ritense.valtimo.web.logging.LoggingRestClientCustomizer, a Spring RestClientCustomizer that intercepts all outgoing HTTP requests made via Spring's RestClient. The component logs complete request/response data, but critically, when HTTP error responses occur, it embeds full request bodies, response bodies, and response headers into the HttpClientErrorException constructor. Spring's default exception handling logs these exceptions at ERROR level regardless of DEBUG settings, bypassing the intended DEBUG-only logging control. This represents CWE-532 (Insertion of Sensitive Information into Log File), where the logging framework inadvertently becomes a data exfiltration vector. The affected packages are pkg:maven/com.ritense.valtimo:web versions 12.4.0-12.32.x and 13.0.0-13.25.x. The fix strips request/response reports, headers, and bodies from exception messages while preserving DEBUG-level detailed logging for troubleshooting.

RemediationAI

Upgrade to patched versions: 12.33.0 for v12 release line (PR #600 at https://github.com/valtimo-platform/valtimo/pull/600) or 13.26.0 for v13 release line (PR #599 at https://github.com/valtimo-platform/valtimo/pull/599). The patches remove request/response reports, headers, and response bodies from HttpClientErrorException messages, retaining only HTTP status code and status text in exceptions while preserving full DEBUG-level logging for development troubleshooting. If immediate upgrade is not feasible, implement layered compensating controls: (1) Restrict access to application logs and disable the Valtimo built-in logging module for non-superadmin users, (2) Set log level for com.ritense.valtimo.web.logging to WARN or higher via LOGGING_LEVEL_COM_RITENSE_VALTIMO_WEB_LOGGING environment variable - note this only prevents DEBUG path leakage; ERROR-level exception messages still leak data until patched, (3) Rotate potentially exposed credentials for all external APIs integrated with Valtimo (ZGW services, OAuth providers) if logs were accessible to untrusted parties, (4) Review log retention policies and purge historical logs containing sensitive data. Vendor notes related issue GHSA-hfrg-mcvw-8mch for similar exposure in InboxHandlingService.

CVE-2023-34111 CRITICAL POC
9.8 Jun 06

The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerabili

CVE-2022-26148 CRITICAL POC
9.8 Mar 21

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. Rated critical severity (CVSS 9.8), this

CVE-2020-27846 CRITICAL POC
9.8 Dec 21

A signature verification vulnerability exists in crewjam/saml. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-15727 CRITICAL POC
9.8 Aug 29

Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generat

CVE-2024-9264 CRITICAL POC
9.4 Oct 18

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input.

CVE-2026-63087 CRITICAL POC
9.3 Jul 16

Authentication bypass in Grafana OnCall through 1.16.11 lets unauthenticated remote attackers mint a valid PluginAuthTok

CVE-2023-36649 CRITICAL POC
9.1 Dec 12

Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows re

CVE-2025-4123 HIGH POC
7.6 May 22

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redire

CVE-2020-13379 HIGH POC
8.2 Jun 03

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. Rated high severity (CVSS

CVE-2023-1387 HIGH POC
7.5 Apr 26

Grafana is an open-source platform for monitoring and observability. Rated high severity (CVSS 7.5), this vulnerability

CVE-2022-32276 HIGH POC
7.5 Jun 17

Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. Rated high severity (

CVE-2022-32275 HIGH POC
7.5 Jun 06

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. Rated high

Share

EUVD-2026-30335 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy