CVE-2026-34164
CWE-532Published: April 16, 2026· Updated: Apr 17, 2026
Official Description
Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to anyone with access to application logs or any Valtimo user with the admin role through the Admin UI logging module. This issue has been fixed in version 13.22.0. If developers are unable to upgrade immediately, they can restrict access to application logs and adjust the log level for com.ritense.inbox to WARN or higher in their application configuration as a workaround.
Technical Analysis
CVE-2026-34164 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires high privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 4.9.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (5)
Quick Facts
Related CVEs (CWE-532)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-34164 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts