XML Processing Flaw in Apache Log4j 1-to-Log4j 2 Bridge
CVE-2026-34479

6.9MEDIUM

Key Information:

Vendor

Apache
Status
Apache Log4j 1 To Log4j 2 Bridge
Vendor
CVE Published:
10 April 2026

What is CVE-2026-34479?

The Apache Log4j 1-to-Log4j 2 bridge's Log4j1XmlLayout has a significant flaw where it fails to correctly escape XML 1.0 forbidden characters. This results in the generation of malformed XML output. As such, any conforming XML parsers encounter fatal errors when processing these documents, which can lead to issues in downstream log processing systems—potentially causing them to drop or fail to index crucial log records. This vulnerability impacts users employing Log4j1XmlLayout directly in Log4j Core 2 configuration files, as well as those utilizing the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout. Users are urged to upgrade to version 2.25.4, and consider transitioning away from the deprecated bridge following the provided migration guidelines.

Affected Version(s)

Apache Log4j 1 to Log4j 2 bridge 2.7 < 2.25.4

Apache Log4j 1 to Log4j 2 bridge 3.0.0-alpha1 <= 3.0.0-beta2

References

https://github.com/apache/logging-log4j2/pull/4078
patch
https://logging.apache.org/security.html#CVE-2026-34479
vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml
vendor-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)
jabaltarik1 (independently)
.