CVE-2026-44516

Name of the Vulnerable Software and Affected Versions Valtimo versions 12.4.0 through 12.32.0 Valtimo versions 13.0.0 through 13.25.0

Description The LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the HttpClientErrorException message, which is logged at the ERROR level by Spring's default exception handling, regardless of the application's DEBUG log level setting. This can lead to the exposure of sensitive data, such as authentication credentials (JWT tokens, API keys, OAuth tokens), personal data (BSN, email addresses, case details), and session tokens in Set-Cookie response headers. This information is accessible to anyone with access to application logs, logging aggregation tools, or Valtimo users with the admin role. The issue is located in the intercept function of com.ritense.valtimo.web.logging.LoggingRestClientCustomizer.

Recommendations Update to version 12.33.0. Update to version 13.26.0. Restrict access to application logs and the Valtimo logging module. Adjust the log level for com.ritense.valtimo.web.logging to WARN or higher.