XML Parsing Issue in Apache Log4cxx Affects Log Integrity
CVE-2026-40023

6.3MEDIUM

Key Information:

Vendor

Apache
Status
Apache Log4cxx
Apache Log4cxx (conan)
Apache Log4cxx (brew)
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40023?

An issue in Apache Log4cxx's XMLLayout allows the inclusion of characters forbidden by the XML 1.0 specification, resulting in the generation of invalid XML output in log data. This flaw can enable an attacker to manipulate recorded logs, which may lead to the omission of critical log records essential for maintaining secure audit trails. Consequently, systems relying on these logs for monitoring malicious activities might either fail to index or entirely drop affected records. Users are encouraged to upgrade to Apache Log4cxx version 1.7.0, where this issue has been addressed.

Affected Version(s)

Apache Log4cxx 0 < 1.7.0

Apache Log4cxx (Brew) 0 < 1.7.0

Apache Log4cxx (Conan) 0 < 1.7.0

References

https://github.com/apache/logging-log4cxx/pull/609
patch
https://logging.apache.org/security.html#CVE-2026-40023
vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml
vendor-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Olawale Titiloye
.