CVE-2026-44516: Valtimo has sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer

May 11, 2026

The LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring’s RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown HttpClientErrorException message, which is logged at ERROR level by Spring’s default exception handling — regardless of the application’s DEBUG log level setting.

References

github.com/advisories/GHSA-3jh5-rr2q-xfv7
github.com/valtimo-platform/valtimo
github.com/valtimo-platform/valtimo/pull/599
github.com/valtimo-platform/valtimo/pull/600
github.com/valtimo-platform/valtimo/security/advisories/GHSA-3jh5-rr2q-xfv7
nvd.nist.gov/vuln/detail/CVE-2026-44516

Code Behaviors & Features

Detect and mitigate CVE-2026-44516 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →