CVE-2026-34478 (GCVE-0-2026-34478)
Vulnerability from cvelistv5
Published
2026-04-10 15:40
Modified
2026-04-10 17:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.
Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
* The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
* The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.
Users of the SyslogAppender are not affected, as its configuration attributes were not modified.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Log4j Core |
Version: 2.21.0 Version: 3.0.0-beta1 cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-10T16:18:17.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/10/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T17:48:27.852992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:50:12.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"cpes": [
"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "org.apache.logging.log4j:log4j-core",
"packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
"product": "Apache Log4j Core",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.25.4",
"status": "affected",
"version": "2.21.0",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.0.0-beta3",
"status": "affected",
"version": "3.0.0-beta1",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Samuli Leinonen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Log4j Core\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout\"\u003eRfc5424Layout\u003c/a\u003e\u003c/code\u003e, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\u003c/p\u003e\u003cp\u003eTwo distinct issues affect users of stream-based syslog services who configure \u003ccode\u003eRfc5424Layout\u003c/code\u003e directly:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe \u003ccode\u003enewLineEscape\u003c/code\u003e attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\u003c/li\u003e\u003cli\u003eThe \u003ccode\u003euseTlsMessageFormat\u003c/code\u003e attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers of the \u003ccode\u003eSyslogAppender\u003c/code\u003e are not affected, as its configuration attributes were not modified.\u003c/p\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.\u003c/p\u003e"
}
],
"value": "Apache Log4j Core\u0027s Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\n\nTwo distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:\n\n * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\n * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\n\n\nUsers of the SyslogAppender are not affected, as its configuration attributes were not modified.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-684",
"description": "CWE-684 Incorrect Provision of Specified Functionality",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T15:40:17.713Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/logging-log4j2/pull/4074"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://logging.apache.org/security.html#CVE-2026-34478"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://logging.apache.org/cyclonedx/vdr.xml"
},
{
"tags": [
"related"
],
"url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-12-25T12:58:00.000Z",
"value": "Vulnerability reported by Samuli Leinonen"
},
{
"lang": "en",
"time": "2026-03-10T16:00:00.000Z",
"value": "Candidate patch shared internally by Piotr P. Karwasz"
},
{
"lang": "en",
"time": "2026-03-24T18:41:00.000Z",
"value": "Fix shared publicly by Piotr P. Karwasz as pull request #4074"
},
{
"lang": "en",
"time": "2026-03-25T11:02:00.000Z",
"value": "Fix verified by reporter"
},
{
"lang": "en",
"time": "2026-03-28T11:19:00.000Z",
"value": "Log4j 2.25.4 released"
}
],
"title": "Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-34478",
"datePublished": "2026-04-10T15:40:17.713Z",
"dateReserved": "2026-03-28T13:17:35.586Z",
"dateUpdated": "2026-04-10T17:50:12.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/04/10/7\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-10T16:18:17.528Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34478\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T17:48:27.852992Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T17:50:01.256Z\"}}], \"cna\": {\"title\": \"Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Samuli Leinonen\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.9, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*\"], \"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Log4j Core\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.21.0\", \"lessThan\": \"2.25.4\", \"versionType\": \"maven\"}, {\"status\": \"affected\", \"version\": \"3.0.0-beta1\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"3.0.0-beta3\"}], \"packageURL\": \"pkg:maven/org.apache.logging.log4j/log4j-core\", \"packageName\": \"org.apache.logging.log4j:log4j-core\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-12-25T12:58:00.000Z\", \"value\": \"Vulnerability reported by Samuli Leinonen\"}, {\"lang\": \"en\", \"time\": \"2026-03-10T16:00:00.000Z\", \"value\": \"Candidate patch shared internally by Piotr P. Karwasz\"}, {\"lang\": \"en\", \"time\": \"2026-03-24T18:41:00.000Z\", \"value\": \"Fix shared publicly by Piotr P. Karwasz as pull request #4074\"}, {\"lang\": \"en\", \"time\": \"2026-03-25T11:02:00.000Z\", \"value\": \"Fix verified by reporter\"}, {\"lang\": \"en\", \"time\": \"2026-03-28T11:19:00.000Z\", \"value\": \"Log4j 2.25.4 released\"}], \"references\": [{\"url\": \"https://github.com/apache/logging-log4j2/pull/4074\", \"tags\": [\"patch\"]}, {\"url\": \"https://logging.apache.org/security.html#CVE-2026-34478\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://logging.apache.org/cyclonedx/vdr.xml\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout\", \"tags\": [\"related\"]}, {\"url\": \"https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apache Log4j Core\u0027s Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\\n\\nTwo distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:\\n\\n * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\\n * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\\n\\n\\nUsers of the SyslogAppender are not affected, as its configuration attributes were not modified.\\n\\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eApache Log4j Core\u0027s \u003ccode\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout\\\"\u003eRfc5424Layout\u003c/a\u003e\u003c/code\u003e, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\u003c/p\u003e\u003cp\u003eTwo distinct issues affect users of stream-based syslog services who configure \u003ccode\u003eRfc5424Layout\u003c/code\u003e directly:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe \u003ccode\u003enewLineEscape\u003c/code\u003e attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\u003c/li\u003e\u003cli\u003eThe \u003ccode\u003euseTlsMessageFormat\u003c/code\u003e attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers of the \u003ccode\u003eSyslogAppender\u003c/code\u003e are not affected, as its configuration attributes were not modified.\u003c/p\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-684\", \"description\": \"CWE-684 Incorrect Provision of Specified Functionality\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-117\", \"description\": \"CWE-117 Improper Output Neutralization for Logs\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-04-10T15:40:17.713Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34478\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T17:50:12.484Z\", \"dateReserved\": \"2026-03-28T13:17:35.586Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-04-10T15:40:17.713Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…