PRIOn Logo

CVE-2024-34706 Design/Logic Flaw

Remediate Within one Month

CVE Information

Original CVE data


Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to `` via the the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the component. The following conditions have to be met in order to perform this attack: An attacker needs to have access to the network traffic on the `` domain; the content of the `x-jwt-token` header is logged or otherwise available to the attacker; an attacker needs to have network access to the Valtimo API; and an attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes. Versions 10.8.4, 11.1.6 and 11.2.2 have been patched.

CWE: CWE-532
CVSS v2-
CVSS v39.8
Affected Vendors

Valtimo-platform - (1)

Basic Analysis

Common vulnerability metrics

Vulnerabilty type as detected by PRIOnengine

Design/Logic Flaw

CVSS Scores as calculated by PRIOnengine
CVSS v24.3
CVSS v37.5



No exploit code is reported to exist.

Active Exploitation

Vulnerability is not in CISA's Known Exploited Vulnerabilities (KEV) catalog. See the KEV Catalog

Social Network Activity


Threat Actor Activity

No sightings of the vulnerability within threat reports.

Cybersecurity Frameworks

How the vulnerability maps against various cybersecurity frameworks

T1550.001 - Use Alternate Authentication Material (Application Access Token)

Compliance Impact

How the submited vulnerability affects compliance


Web Application Security Frameworks

Applicable if the issue likely affects a web application