Log Injection Vulnerability in Apache Log4j Core Product
CVE-2026-34478

6.9MEDIUM

Key Information:

Vendor

Apache
Status
Apache Log4j Core
Vendor
CVE Published:
10 April 2026

What is CVE-2026-34478?

The Apache Log4j Core component's Rfc5424Layout versions 2.21.0 to 2.25.3 is susceptible to log injection due to unnecessary renaming of critical configuration attributes. Specifically, the renamed newLineEscape attribute disrupts newline escaping for TCP framing (RFC 6587), facilitating CRLF injection in log outputs. Additionally, the useTlsMessageFormat attribute's rename leads to an unintentional downgrade to unframed TCP, compromising the security of TLS framing (RFC 5425). Users utilizing SyslogAppender remain unaffected. To rectify this vulnerability, it is recommended to update to Apache Log4j Core version 2.25.4.

Affected Version(s)

Apache Log4j Core 2.21.0 < 2.25.4

Apache Log4j Core 3.0.0-beta1 <= 3.0.0-beta3

References

https://github.com/apache/logging-log4j2/pull/4074
patch
https://logging.apache.org/security.html#CVE-2026-34478
vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml
vendor-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Samuli Leinonen
.