Apache Log4j JSON Template Layout Vulnerability in Log Management Software
CVE-2026-34481

6.3MEDIUM

Key Information:

Vendor

Apache
Status
Apache Log4j Json Template Layout
Vendor
CVE Published:
10 April 2026

What is CVE-2026-34481?

Apache Log4j’s JsonTemplateLayout component, present in versions 2.0 to 2.25.3, is prone to producing invalid JSON output when logging non-finite floating-point values (such as NaN, Infinity, or -Infinity). This non-compliance with RFC 8259 can lead to issues in downstream systems that process or index log records, potentially resulting in rejected or mismanaged logs. An attacker can exploit this vulnerability if they control floating-point values within a MapMessage logged by the application utilizing JsonTemplateLayout. Upgrading to version 2.25.4 resolves this issue.

Affected Version(s)

Apache Log4j JSON Template Layout 2.14.0 < 2.25.4

Apache Log4j JSON Template Layout 3.0.0-alpha1 <= 3.0.0-beta3

References

https://github.com/apache/logging-log4j2/pull/4080
patch
https://logging.apache.org/security.html#CVE-2026-34481
vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml
vendor-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie)
.