GHSA-HFRG-MCVW-8MCH

Vulnerability from github – Published: 2026-04-16 20:42 – Updated: 2026-04-16 20:42
VLAI?
Summary
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService
Details

Summary

The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.

Impact

This data is exposed to: - Anyone with access to application logs (stdout/log files) - Any Valtimo user with the admin role, through the logging module in the Admin UI

Affected Code

com.ritense.inbox.InboxHandlingService#handle in the inbox module.

Resolution

Fixed in 13.22.0 via commit f16a1940ba (PR #497, tracking issue gzac-issues#653). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.

Mitigation

For versions before 13.22.0, consider: - Restricting access to application logs - Adjusting the log level for com.ritense.inbox to WARN or higher in your application configuration

Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.ritense.valtimo:inbox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0.RELEASE"
            },
            {
              "fixed": "13.22.0.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T20:42:55Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `InboxHandlingService` logs the full content of every incoming inbox message at INFO level (`logger.info(\"Received message: {}\", message)`). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.\n\n### Impact\n\nThis data is exposed to:\n- Anyone with access to application logs (stdout/log files)\n- Any Valtimo user with the admin role, through the logging module in the Admin UI\n\n### Affected Code\n\n`com.ritense.inbox.InboxHandlingService#handle` in the `inbox` module.\n\n### Resolution\n\nFixed in [13.22.0](https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0) via commit [`f16a1940ba`](https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335) (PR [#497](https://github.com/valtimo-platform/valtimo/pull/497), tracking issue [gzac-issues#653](https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653)). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.\n\n### Mitigation\n\nFor versions before 13.22.0, consider:\n- Restricting access to application logs\n- Adjusting the log level for `com.ritense.inbox` to WARN or higher in your application configuration",
  "id": "GHSA-hfrg-mcvw-8mch",
  "modified": "2026-04-16T20:42:55Z",
  "published": "2026-04-16T20:42:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-hfrg-mcvw-8mch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/pull/497"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/valtimo-platform/valtimo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.