Cyber Resilience

CVE-2026-34480

Medium

Published: 10 April 2026

Published
10 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34480 is a medium-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Apache Log4J. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-5 (Response to Audit Logging Process Failures) and SI-2 (Flaw Remediation).

Deeper analysis

Apache Log4j Core's XmlLayout, in versions up to and including 2.25.3, contains a vulnerability (CVE-2026-34480) where it fails to sanitize characters forbidden by the XML 1.0 specification in log messages or Mapped Diagnostic Context (MDC) values. This results in invalid XML output when such characters are present. The issue affects applications using Log4j Core with XmlLayout for logging, particularly those relying on downstream XML processing.

Attackers with the ability to control log message content or MDC values—such as through user inputs that are logged—can exploit this remotely with low complexity and no privileges required (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N; CWE-116). Depending on the StAX implementation, exploitation produces either malformed XML that conforming parsers reject, potentially causing downstream log-processing systems to drop affected records, or throws an exception (e.g., with Woodstox, a transitive dependency of Jackson XML Dataformat), preventing delivery to the intended appender and routing only to Log4j's internal status logger. This leads to log record loss or integrity violations.

Apache advisories recommend upgrading to Log4j Core 2.25.4, which addresses the issue by sanitizing forbidden characters before XML output. Relevant resources include the official security advisory at https://logging.apache.org/security.html#CVE-2026-34480, the fixing pull request at https://github.com/apache/logging-log4j2/pull/4077, and the XmlLayout documentation at https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout.

EU & UK References

Vulnerability details

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact…

more

depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The vulnerability allows control over log/MDC content to inject forbidden XML characters, producing malformed output that causes integrity violations or dropped records in downstream XML processing, directly enabling transmitted data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34478Same product: Apache Log4J
CVE-2026-34481Same product: Apache Log4J
CVE-2026-34483Same vendor: Apache
CVE-2026-42810Same vendor: Apache
CVE-2026-41604Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-30911Same vendor: Apache
CVE-2025-54550Same vendor: Apache
CVE-2026-30912Same vendor: Apache
CVE-2026-42252Same vendor: Apache

Affected Assets

apache
log4j
3.0.0 · 2.0 — 2.25.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws like CVE-2026-34480 by patching Log4j Core to version 2.25.4.

detectrespond

Mandates alerting personnel and taking actions upon audit logging process failures, such as exceptions thrown by vulnerable XmlLayout during forbidden character processing.

prevent

Requires validation of user inputs before logging to block XML-forbidden characters that attackers inject to trigger malformed output or exceptions.

References