Valtimo LoggingRestClientCustomizer HTTP Info Disclosure 12.4.0-12.32/13.0-13.25
CVE-2026-44516 Published on May 14, 2026
Valtimo: Sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer
Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown HttpClientErrorException message, which is logged at ERROR level by Spring's default exception handling regardless of the application's DEBUG log level setting. This vulnerability is fixed in 12.33.0 and 13.26.0.
Vulnerability Analysis
CVE-2026-44516 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Affected Versions
valtimo-platform valtimo:- Version >= 12.4.0, < 12.33.0 is affected.
- Version >= 13.0.0, < 13.26.0 is affected.
- Version >= 12.4.0, < 12.33.0 is affected.
- Version >= 13.0.0, < 13.26.0 is affected.