CVE-2026-44516: Valtimo Logs Sensitive Data Regardless of Debug Settings

/HIGH /CVSS 7.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-532
CVE-2026-44516: Valtimo Logs Sensitive Data Regardless of Debug Settings

The National Vulnerability Database (NVD) reports a high-severity vulnerability, CVE-2026-44516, in Valtimo, an open-source business process automation platform. Versions 12.4.0 through 12.33.0 and 13.26.0 are affected. The issue stems from the LoggingRestClientCustomizer in the web module, which indiscriminately intercepts and logs all outgoing HTTP request and response bodies, as well as response headers.

Critically, when an error response occurs, this sensitive information is embedded within HttpClientErrorException messages. These messages are then logged at an ERROR level by Spring’s default exception handling, completely bypassing the application’s configured DEBUG log level settings. This means production systems could be inadvertently logging highly sensitive data, including API keys, PII, or other confidential information, into standard error logs.

The NVD assigns a CVSSv3.1 score of 7.6 (High) to this vulnerability, categorized under CWE-532 (Inclusion of Sensitive Information in Log Files). Valtimo has addressed this flaw in versions 12.33.0 and 13.26.0. Organizations utilizing affected versions must prioritize patching to prevent the inadvertent exposure of critical business data.

What This Means For You

  • If your organization uses Valtimo, immediately check your version. If you are running 12.4.0 to 12.33.0 or 13.26.0, patch to 12.33.0 or 13.26.0 without delay. This isn't just a theoretical risk; it's a direct data leakage vector. Audit your logs for any `HttpClientErrorException` messages that might contain sensitive request/response data. Assume compromise until proven otherwise and rotate any credentials or tokens that could have been logged.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1041 Exfiltration Over C2 Channel Exfiltration T1071.001 Web Protocols Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-44516: Valtimo Sensitive Data Logging in HTTP Errors

Sigma YAML — free preview 
title: CVE-2026-44516: Valtimo Sensitive Data Logging in HTTP Errors
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
  Detects outgoing HTTP requests from Valtimo (versions 12.4.0 to 12.33.0 and 13.26.0) that result in an error status code (5xx). The vulnerability causes sensitive data from request/response bodies and headers to be logged at the ERROR level, even when debug logging is disabled. This rule specifically looks for error responses from API endpoints, which are common targets for data exfiltration.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44516/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      sc-status|startswith:
          - '5'
      cs-uri|contains:
          - '/api/v1'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44516 Information Disclosure Valtimo versions 12.4.0 to 12.33.0 (exclusive) and 13.0.0 to 13.26.0 (exclusive)
CVE-2026-44516 Information Disclosure Valtimo web module: LoggingRestClientCustomizer
CVE-2026-44516 Information Disclosure Automatic logging of full HTTP request body, response body, and response headers on error responses

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-46470 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46470 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-46469 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46469 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-44542: Critical Path Traversal in FileBrowser Quantum

CVE-2026-44542 — FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base...

vulnerabilityCVEcriticalhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 2 Sigma