CVE-2026-34164: CWE-532: Insertion of Sensitive Information into Log File in valtimo-platform valtimo
Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to anyone with access to application logs or any Valtimo user with the admin role through the Admin UI logging module. This issue has been fixed in version 13.22.0. If developers are unable to upgrade immediately, they can restrict access to application logs and adjust the log level for com.ritense.inbox to WARN or higher in their application configuration as a workaround.
AI Analysis
Technical Summary
Valtimo versions 13.0.0 to 13.21.0 contain a CWE-532 vulnerability where the InboxHandlingService logs entire inbox message contents at INFO level. These messages may include highly sensitive data like PII and citizen identifiers (BSN). This logging behavior exposes sensitive information to users with access to application logs or admin UI logging modules. The vulnerability is resolved in version 13.22.0. Workarounds include restricting log access and configuring the log level for com.ritense.inbox to WARN or above to prevent sensitive data from being logged.
Potential Impact
Sensitive information such as personal data, citizen identifiers, and case details can be exposed through application logs or the admin UI logging module. This exposure risks confidentiality breaches but does not impact integrity or availability. The vulnerability requires administrative privileges or access to logs to exploit, limiting the attack surface. The CVSS score is 4.9 (medium severity), reflecting network attack vector with low complexity but requiring high privileges and no user interaction.
Mitigation Recommendations
A fixed version (13.22.0) of Valtimo is available and should be applied to remediate this vulnerability. If immediate upgrade is not possible, restrict access to application logs to authorized personnel only and configure the logging level for com.ritense.inbox to WARN or higher to prevent sensitive data from being logged at INFO level.
CVE-2026-34164: CWE-532: Insertion of Sensitive Information into Log File in valtimo-platform valtimo
Description
Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to anyone with access to application logs or any Valtimo user with the admin role through the Admin UI logging module. This issue has been fixed in version 13.22.0. If developers are unable to upgrade immediately, they can restrict access to application logs and adjust the log level for com.ritense.inbox to WARN or higher in their application configuration as a workaround.
CVSS v3.1
Score 4.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Valtimo versions 13.0.0 to 13.21.0 contain a CWE-532 vulnerability where the InboxHandlingService logs entire inbox message contents at INFO level. These messages may include highly sensitive data like PII and citizen identifiers (BSN). This logging behavior exposes sensitive information to users with access to application logs or admin UI logging modules. The vulnerability is resolved in version 13.22.0. Workarounds include restricting log access and configuring the log level for com.ritense.inbox to WARN or above to prevent sensitive data from being logged.
Potential Impact
Sensitive information such as personal data, citizen identifiers, and case details can be exposed through application logs or the admin UI logging module. This exposure risks confidentiality breaches but does not impact integrity or availability. The vulnerability requires administrative privileges or access to logs to exploit, limiting the attack surface. The CVSS score is 4.9 (medium severity), reflecting network attack vector with low complexity but requiring high privileges and no user interaction.
Mitigation Recommendations
A fixed version (13.22.0) of Valtimo is available and should be applied to remediate this vulnerability. If immediate upgrade is not possible, restrict access to application logs to authorized personnel only and configure the logging level for com.ritense.inbox to WARN or higher to prevent sensitive data from being logged at INFO level.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T20:12:04.197Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1554682d89c981fce0d78
Added to database: 4/16/2026, 9:31:50 PM
Last enriched: 4/24/2026, 4:12:28 PM
Last updated: 6/1/2026, 7:39:13 PM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.