Vulnerability in Apache Log4j Core SSL Configuration Exposes Applications to Man-in-the-Middle Attacks
CVE-2026-34477

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Log4j Core
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-34477?

This vulnerability arises from incomplete remediation of a previous issue, where the hostname verification mechanism was not correctly enforced in specific configurations. In particular, when using the SSL appender for SMTP, Socket, or Syslog, an attacker may be able to conduct a man-in-the-middle attack if they can exploit a TLS connection with a trusted certificate. Users of the HTTP appender are not affected due to its distinct verification attribute being unaffected by this issue. For secure applications, upgrading to Apache Log4j Core 2.25.4 or later is imperative.

Affected Version(s)

Apache Log4j Core 2.12.0 < 2.25.4

Apache Log4j Core 3.0.0-alpha1 <= 3.0.0-beta3

References

https://github.com/apache/logging-log4j2/pull/4075

patch

https://logging.apache.org/security.html#CVE-2026-34477

vendor-advisory

https://logging.apache.org/cyclonedx/vdr.xml

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 28, 2026

Credit

Samuli Leinonen (original reporter)

Naresh Kandula (independently)

Vitaly Simonovich (independently)

Raijuna (independently)

Danish Siddiqui (djvirus, independently)

Markus Magnuson (independently)

Haruki Oyama (Waseda University, independently)

CVE-2026-34477 Data

JSON