Platform
java
Component
valtimo-platform
Fixed in
13.0.1
13.22.0.RELEASE
CVE-2026-34164 describes an information disclosure vulnerability in Valtimo, a customer service platform. The InboxHandlingService logs the full content of incoming inbox messages at the INFO level, inadvertently exposing sensitive data. This vulnerability impacts Valtimo versions 13.0.0 up to, but not including, 13.22.0. A fix is available in version 13.22.0.
The primary impact of CVE-2026-34164 is the exposure of sensitive information contained within inbox messages. These messages act as wrappers for outbox message data and can include Personally Identifiable Information (PII), citizen identifiers (BSN), and detailed case information. Attackers with access to Valtimo application logs (either through stdout/log files or the Admin UI with admin privileges) can potentially extract this sensitive data. The blast radius extends to any user with access to these logs, creating a significant risk of data breaches and regulatory non-compliance. This vulnerability resembles scenarios where sensitive data is inadvertently logged, leading to unauthorized access and potential misuse.
CVE-2026-34164 was publicly disclosed on 2026-04-16. There is no indication of active exploitation or a KEV listing at the time of writing. Public proof-of-concept code is not currently available. The vulnerability's reliance on log access suggests exploitation would likely require insider access or compromised credentials.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34164 is to upgrade Valtimo to version 13.22.0 or later, which includes the fix for this information disclosure issue. If an immediate upgrade is not feasible, consider implementing temporary workarounds to restrict access to application logs. This could involve tightening permissions on log files, limiting access to the Admin UI, and implementing stricter auditing controls. Review and sanitize the data being logged by the InboxHandlingService to prevent sensitive information from being included in log messages. After upgrading, verify the fix by sending a test inbox message containing sample PII and confirming that it is no longer logged at the INFO level.
Update to version 13.22.0 or higher to prevent sensitive data exposure. If you cannot update immediately, restrict access to application logs or adjust the log level for com.ritense.inbox to WARN or higher in the application configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34164 is a medium-severity vulnerability in Valtimo where sensitive data within inbox messages is logged, potentially exposing PII and other confidential information to those with log access.
You are affected if you are using Valtimo versions 13.0.0 through 13.21.9. Upgrade to version 13.22.0 or later to resolve the issue.
The recommended fix is to upgrade Valtimo to version 13.22.0 or later. As a temporary workaround, restrict access to application logs and the Admin UI.
There is currently no evidence of active exploitation of CVE-2026-34164, but the potential for data exposure remains a concern.
Refer to the official Valtimo security advisory for detailed information and updates regarding CVE-2026-34164: [https://valtimo.com/security/advisories](https://valtimo.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.