XML Layout Vulnerability in Apache Log4net Affects Logging Functionality
CVE-2026-40021

6.3MEDIUM

Key Information:

Vendor

Apache
Status
Apache Log4net
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40021?

Apache Log4net's XmlLayout and XmlLayoutSchemaLog4J prior to version 3.3.0 have a vulnerability that fails to properly sanitize characters restricted by the XML 1.0 specification in MDC property keys and values. This issue allows an attacker to manipulate the identity field, which can lead to exceptions during serialization and ultimately result in the silent loss of logs. Consequently, this vulnerability can obstruct audit trails and hinder the detection of malicious activities. Users are recommended to update to Apache Log4net version 3.3.0 or later to mitigate this issue.

Affected Version(s)

Apache Log4net 0 < 3.3.0

References

https://github.com/apache/logging-log4net/pull/280
patch
https://logging.apache.org/security.html#CVE-2026-40021
vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml
vendor-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

f00dat
.