{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sensitive-data-exposure/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Valtimo"],"_cs_severities":["high"],"_cs_tags":["sensitive-data-exposure","logging","valtimo"],"_cs_type":"advisory","_cs_vendors":["Ritense"],"content_html":"\u003cp\u003eThe \u003ccode\u003eLoggingRestClientCustomizer\u003c/code\u003e component in Valtimo versions 12.4.0 through 12.32.0 and 13.0.0 through 13.25.0 exhibits a sensitive data exposure vulnerability (CVE-2026-44516). This component, designed to log outgoing HTTP calls made via Spring\u0026rsquo;s \u003ccode\u003eRestClient\u003c/code\u003e, captures and logs the full request body, response body, and response headers. Critically, when an error response is received, this information is included in the \u003ccode\u003eHttpClientErrorException\u003c/code\u003e message. This exception is then logged at ERROR level by Spring\u0026rsquo;s default exception handling, overriding any DEBUG log level configurations set by the application. This means that even in production environments where debug logging is disabled, sensitive information can still be exposed to anyone with access to the application logs, logging aggregation tools, or the Valtimo logging module (available to Valtimo admins since version 12.5.0). This vulnerability was resolved in versions 12.33.0 and 13.26.0 by removing the request/response data from the \u003ccode\u003eHttpClientErrorException\u003c/code\u003e constructor and limiting the full report to DEBUG level logging only.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator configures Valtimo to interact with an external API (e.g., ZGW services) that requires authentication.\u003c/li\u003e\n\u003cli\u003eThe Valtimo application makes an HTTP request to the external API, including sensitive data (e.g., API key, JWT token) in the request body or headers.\u003c/li\u003e\n\u003cli\u003eThe external API returns an error response (e.g., 401 Unauthorized, 500 Internal Server Error).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eLoggingRestClientCustomizer\u003c/code\u003e intercepts the error response and constructs an \u003ccode\u003eHttpClientErrorException\u003c/code\u003e containing the full request and response details, including sensitive data.\u003c/li\u003e\n\u003cli\u003eSpring\u0026rsquo;s default exception handling logs the \u003ccode\u003eHttpClientErrorException\u003c/code\u003e message at ERROR level.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the application logs (e.g., via compromised server access, unauthorized access to logging aggregation tools, or the Valtimo logging module).\u003c/li\u003e\n\u003cli\u003eThe attacker reviews the logs and extracts the sensitive data (e.g., API key, JWT token, personal data) from the logged \u003ccode\u003eHttpClientErrorException\u003c/code\u003e message.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the leaked authentication credentials to impersonate the Valtimo application against the external API, gaining unauthorized access to resources or performing actions on behalf of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the exposure of sensitive information, including authentication credentials (JWT tokens, API keys, OAuth tokens), personal data (BSN, email addresses, case details), and session tokens. This information could be used to compromise external APIs integrated with Valtimo, potentially leading to data breaches, unauthorized access to resources, or impersonation of the Valtimo application. The impact is heightened due to the exposure of this data to administrators through the built-in logging module since Valtimo version 12.5.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Valtimo to version 12.33.0 or 13.26.0 to remediate CVE-2026-44516, where the sensitive data is removed from the \u003ccode\u003eHttpClientErrorException\u003c/code\u003e constructor.\u003c/li\u003e\n\u003cli\u003eUntil upgrading, restrict access to application logs and the Valtimo logging module as described in the advisory\u0026rsquo;s Mitigation section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Valtimo HttpClientErrorException Logging of Sensitive Data\u0026rdquo; to identify instances where sensitive data is being logged in error messages, alerting on potential exposures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T16:13:54Z","date_published":"2026-05-11T16:13:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-valtimo-sensitive-data-exposure/","summary":"The `LoggingRestClientCustomizer` in Valtimo's `web` module automatically intercepts all outgoing HTTP calls and logs the full request/response body and headers, potentially exposing sensitive information like credentials, personal data, and session tokens via error messages logged at ERROR level (CVE-2026-44516).","title":"Valtimo Sensitive Data Exposure via Excessive HTTP Request/Response Logging (CVE-2026-44516)","url":"https://feed.craftedsignal.io/briefs/2026-05-valtimo-sensitive-data-exposure/"}],"language":"en","title":"CraftedSignal Threat Feed — Sensitive-Data-Exposure","version":"https://jsonfeed.org/version/1.1"}