CVE-2026-34477
Received Received - Intake
Incomplete TLS Hostname Verification in Apache Log4j Core Network Appenders

Publication date: 2026-04-10

Last updated on: 2026-05-06

Assigner: Apache Software Foundation

Description
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34477
EUVD
EUVD-2026-21407
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j 3.0.0
apache log4j From 2.12.0 (inc) to 2.25.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
CWE-297 The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability arises from an incomplete fix for a previous issue (CVE-2025-68161) in Apache Log4j Core. The problem is that hostname verification during TLS connections was only enforced when enabled via a specific system property (log4j2.sslVerifyHostName), but not when configured through the verifyHostName attribute of the <Ssl> element in the configuration.

Although the verifyHostName attribute was introduced in Log4j Core 2.12.0, it was ignored silently in all versions up to 2.25.3. This means that TLS connections using SMTP, Socket, or Syslog appenders with nested <Ssl> elements were vulnerable to man-in-the-middle attacks if an attacker could present a trusted certificate.

The issue does not affect HTTP appenders, which use a different verifyHostname attribute that was not impacted by this bug.

The vulnerability is fixed in Apache Log4j Core version 2.25.4.

Impact Analysis

This vulnerability can allow a network-based attacker to perform a man-in-the-middle (MITM) attack on TLS connections established by Log4j appenders (SMTP, Socket, or Syslog) that use the <Ssl> element for TLS configuration.

If the attacker can present a certificate trusted by the appender's trust store or the default Java trust store, they could intercept or manipulate data transmitted over these TLS connections without detection.

This undermines the confidentiality and integrity of the data being logged or transmitted, potentially exposing sensitive information or allowing injection of malicious data.

Detection Guidance

This vulnerability involves improper hostname verification in Apache Log4j Core versions up to 2.25.3 when using SMTP, Socket, or Syslog appenders with TLS configured via the <Ssl> element. Detection involves identifying if your system uses these appenders with TLS and if the Log4j version is affected.

You can check your Log4j Core version to see if it is 2.25.3 or earlier, which are vulnerable.

To detect usage of vulnerable configurations, you may search your application configuration files for SMTP, Socket, or Syslog appenders that use the <Ssl> element with the verifyHostName attribute.

Example commands to assist detection:

  • Check Log4j version in your application dependencies or runtime environment, e.g., using command: `mvn dependency:list | grep log4j-core` or inspecting your packaged libraries.
  • Search configuration files for usage of SMTP, Socket, or Syslog appenders with SSL configuration: `grep -r '<Ssl' /path/to/config` or `grep -r 'verifyHostName' /path/to/config`.
  • Monitor network traffic for suspicious TLS connections that could indicate man-in-the-middle attempts, especially if certificates are presented by unknown or unexpected CAs trusted by your Java trust store.
Mitigation Strategies

The primary mitigation step is to upgrade Apache Log4j Core to version 2.25.4 or later, which includes the fix for this vulnerability.

If upgrading immediately is not possible, review your Log4j configuration to ensure that SMTP, Socket, or Syslog appenders are not using TLS with the <Ssl> element and the verifyHostName attribute, or disable these appenders if feasible.

Additionally, ensure that your trust store only contains trusted certificate authorities to reduce the risk of man-in-the-middle attacks.

Compliance Impact

This vulnerability allows a network-based attacker to perform a man-in-the-middle attack on TLS connections used by certain Log4j appenders when hostname verification is not properly enforced. Such interception of data in transit can lead to unauthorized access or disclosure of sensitive information.

Because of this, organizations using affected versions of Log4j Core (prior to 2.25.4) with SMTP, Socket, or Syslog appenders configured with TLS via the <Ssl> element may be at increased risk of data breaches or exposure.

This risk can impact compliance with common security and privacy standards and regulations such as GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data, including secure transmission.

Failure to properly verify hostnames in TLS connections could be seen as a weakness in the security controls mandated by these regulations, potentially leading to non-compliance issues if exploited.

Upgrading to Apache Log4j Core 2.25.4 or later, which fixes this issue by correctly enforcing hostname verification, is advised to maintain compliance and reduce security risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34477. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart