GHSA-hfrg-mcvw-8mch

Source

https://github.com/advisories/GHSA-hfrg-mcvw-8mch

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hfrg-mcvw-8mch/GHSA-hfrg-mcvw-8mch.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hfrg-mcvw-8mch

Aliases

CVE-2026-34164

Published

2026-04-16T20:42:55Z

Modified

2026-05-05T16:07:11.116255Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService

Details

Summary

The InboxHandlingService logs the full content of every incoming inbox message at INFO level (logger.info("Received message: {}", message)). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.

Impact

This data is exposed to: - Anyone with access to application logs (stdout/log files) - Any Valtimo user with the admin role, through the logging module in the Admin UI

Affected Code

com.ritense.inbox.InboxHandlingService#handle in the inbox module.

Resolution

Fixed in 13.22.0 via commit f16a1940ba (PR #497, tracking issue gzac-issues#653). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.

Mitigation

For versions before 13.22.0, consider: - Restricting access to application logs - Adjusting the log level for com.ritense.inbox to WARN or higher in your application configuration

Database specific

{
    "nvd_published_at": "2026-04-16T22:16:37Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T20:42:55Z"
}

References

Affected packages

Maven / com.ritense.valtimo:inbox

Package

Name: com.ritense.valtimo:inbox; View open source insights on deps.dev
Purl: pkg:maven/com.ritense.valtimo/inbox

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0.RELEASE

Fixed

13.22.0.RELEASE

Affected versions

13.*

13.0.0.RELEASE

13.0.1.RELEASE

13.0.2.RELEASE

13.1.0.RELEASE

13.1.1.RELEASE

13.1.2.RELEASE

13.1.3.RELEASE

13.2.0.RELEASE

13.2.1.RELEASE

13.3.0.RELEASE

13.4.0.RELEASE

13.4.1.RELEASE

13.5.0.RELEASE

13.5.1.RELEASE

13.6.0.RELEASE

13.7.0.RELEASE

13.8.0.RELEASE

13.9.0.RELEASE

13.9.1.RELEASE

13.10.0.RELEASE

13.11.0.RELEASE

13.12.0.RELEASE

13.13.0.RELEASE

13.14.0.RELEASE

13.15.0.RELEASE

13.16.0.RELEASE

13.17.0.RELEASE

13.17.1.RELEASE

13.18.0.RELEASE

13.19.0.RELEASE

13.20.0.RELEASE

13.21.0.RELEASE

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hfrg-mcvw-8mch/GHSA-hfrg-mcvw-8mch.json"