CVE-2026-34479
XML Injection in Apache Log4j 1-to-2 Bridge Causes Log Processing Failures
Publication date: 2026-04-10
Last updated on: 2026-05-06
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | From 2.7 (inc) to 2.25.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-34479 concerns the Log4j1XmlLayout component in the Apache Log4j 1-to-Log4j 2 bridge. This component fails to properly escape characters that are forbidden by the XML 1.0 standard, resulting in malformed XML output.
Because XML parsers that conform to the XML 1.0 standard must reject documents containing such invalid characters with a fatal error, this malformed XML can cause downstream log processing systems to drop or fail to index the affected log records.
This affects users who either use Log4j1XmlLayout directly in a Log4j Core 2 configuration or those using the Log4j 1 configuration compatibility layer with the XMLLayout class.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes malformed XML output in logs due to failure to escape forbidden XML characters, which can lead to downstream log processing systems dropping or failing to index affected log records.
This loss or failure to properly record log events may impact compliance with standards and regulations such as GDPR or HIPAA, which require accurate and complete logging for auditing, monitoring, and forensic purposes.
If logs are incomplete or missing due to this vulnerability, organizations may fail to meet regulatory requirements for data integrity, traceability, and incident response.
Users are advised to upgrade to the fixed version 2.25.4 of the Apache Log4j 1-to-Log4j 2 bridge to ensure well-formed XML logs and reliable log processing, thereby supporting compliance efforts.
How can this vulnerability impact me? :
This vulnerability can impact you by causing your log data to become malformed XML, which conforming XML parsers will reject with fatal errors.
As a result, downstream log processing systems may drop or fail to index affected log records, potentially leading to loss of important logging information.
This can impair your ability to monitor, audit, or troubleshoot your systems effectively because some log entries may be missing or inaccessible.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the Apache Log4j 1-to-Log4j 2 bridge, users are advised to upgrade to version 2.25.4 of the bridge, which corrects the issue by sanitizing invalid XML characters in log output.
Additionally, since the bridge is deprecated and will not be present in Log4j 3, users should consider migrating away from the bridge entirely by following the Log4j 1 to Log4j 2 migration guide.
- Upgrade Apache Log4j 1-to-Log4j 2 bridge to version 2.25.4.
- Consult and follow the Log4j 1 to Log4j 2 migration guide to eliminate reliance on the deprecated bridge.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Log4j1XmlLayout component producing malformed XML output due to unescaped forbidden XML 1.0 characters. Detection would involve identifying log files or log output generated by the affected Log4j 1-to-Log4j 2 bridge versions (2.7 up to but not including 2.25.4) or configurations using Log4j1XmlLayout or the Log4j 1 compatibility layer with org.apache.log4j.xml.XMLLayout.
Since the issue manifests as malformed XML logs containing invalid XML characters, one detection approach is to scan log files for XML parse errors or invalid XML characters that violate XML 1.0 standards.
Suggested commands to detect the vulnerability or its effects could include:
- Use XML parsers or validators (e.g., xmllint) on log files to check for fatal errors indicating malformed XML.
- Run grep or similar text search commands to find control characters or forbidden XML characters in log files, for example:
- grep -P '[\x00-\x08\x0B\x0C\x0E-\x1F]' /path/to/logfile
- Check your application or service configurations to identify usage of Log4j1XmlLayout or the Log4j 1 compatibility bridge by searching for relevant configuration entries, e.g.:
- grep -r 'Log4j1XmlLayout' /path/to/config/
- grep -r 'org.apache.log4j.xml.XMLLayout' /path/to/config/
Additionally, verifying the version of the Apache Log4j 1-to-Log4j 2 bridge in use can help determine if the system is vulnerable. This can be done by checking the dependency versions in your build or runtime environment.