EXECUTIVE SUMMARY:
CVE-2026-44516 with a CVSS score of 7.6 is a sensitive data exposure vulnerability in Valtimo, affecting the web module of com.ritense.valtimo:web, specifically impacting versions 12.4.0 to 12.33.0 and 13.0.0 to 13.26.0. The vulnerability occurs due to the LoggingRestClientCustomizer in the web module automatically intercepting and logging outgoing HTTP calls, including full request bodies, response bodies, and response headers, which can contain sensitive information such as authentication credentials, personal data, and session tokens. An attacker can exploit this vulnerability by accessing application logs or logging aggregation tools, allowing them to obtain sensitive data that can be used to impersonate the Valtimo application against external APIs. This can lead to a compromise of the API's security boundary, resulting in business impact and consequences including unauthorized access to sensitive data and potential data breaches. Note that this vulnerability can be exploited by anyone with access to application logs, users with access to logging aggregation tools, or Valtimo users with the admin role, assuming the prerequisite condition of accessing the logging functionality is met.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44516 with a CVSS score of 7.6 is a sensitive data exposure vulnerability in Valtimo, affecting the web module of com.ritense.valtimo:web, specifically impacting versions 12.4.0 to 12.33.0 and 13.0.0 to 13.26.0. The vulnerability occurs due to the LoggingRestClientCustomizer in the web module automatically intercepting and logging outgoing HTTP calls, including full request bodies, response bodies, and response headers, which can contain sensitive information such as authentication credentials, personal data, and session tokens. An attacker can exploit this vulnerability by accessing application logs or logging aggregation tools, allowing them to obtain sensitive data that can be used to impersonate the Valtimo application against external APIs. This can lead to a compromise of the API's security boundary, resulting in business impact and consequences including unauthorized access to sensitive data and potential data breaches. Note that this vulnerability can be exploited by anyone with access to application logs, users with access to logging aggregation tools, or Valtimo users with the admin role, assuming the prerequisite condition of accessing the logging functionality is met.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-3jh5-rr2q-xfv7