CVE-2026-34480
XML Injection in Apache Log4j Core XmlLayout Causes Malformed Logs
Publication date: 2026-04-10
Last updated on: 2026-04-24
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | From 2.0 (inc) to 2.25.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Apache Log4j Core's XmlLayout component in versions up to and including 2.25.3. The issue is that it fails to sanitize characters forbidden by the XML 1.0 specification, which results in invalid XML output when a log message or MDC value contains such forbidden characters.
Depending on the StAX implementation used, this can either produce malformed XML that conforming parsers reject with fatal errors or cause exceptions during logging that prevent the log event from being delivered.
The vulnerability was fixed in version 2.25.4 by sanitizing forbidden characters before XML output, replacing invalid XML characters with the Unicode replacement character U+FFFD to ensure well-formed XML.
How can this vulnerability impact me? :
The impact depends on the StAX XML parser implementation used in your environment:
- If using the JRE built-in StAX, forbidden characters are silently written, producing malformed XML. Conforming XML parsers will reject these malformed logs with fatal errors, which may cause downstream log-processing systems to drop affected log records.
- If using alternative StAX implementations like Woodstox, an exception is thrown during the logging call, preventing the log event from being delivered to its intended appender and only logging internally to Log4j's status logger.
In both cases, this can lead to loss of log data or failure in log processing, which can affect monitoring, auditing, and troubleshooting activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests when Apache Log4j Core's XmlLayout produces malformed XML output due to forbidden XML 1.0 characters in log messages or MDC values.
Detection can involve monitoring log files for malformed XML entries or errors from downstream XML parsers rejecting log data.
Since the issue depends on the StAX implementation, logs may either contain invalid XML characters or logging calls may throw exceptions preventing log delivery.
To detect the vulnerability on your system, you can search your log files for invalid XML characters or parse errors. For example, you might use commands like:
- grep -P '[\x00-\x08\x0B\x0C\x0E-\x1F]' /path/to/logfile.xml
- xmllint --noout /path/to/logfile.xml
The first command searches for control characters forbidden in XML 1.0, and the second validates XML well-formedness, which may fail if malformed XML is present.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache Log4j Core to version 2.25.4 or later, where the issue is fixed by sanitizing forbidden XML characters before output.
This update replaces invalid XML characters with the Unicode replacement character U+FFFD, ensuring well-formed XML output and preventing exceptions or malformed logs.
Until the upgrade can be applied, consider monitoring logs for malformed XML and errors, and avoid logging data that may contain forbidden XML characters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes Apache Log4j Core's XmlLayout to produce malformed XML output when log messages contain forbidden XML characters. This can lead to log-processing systems dropping affected records or silently losing log events.
Such loss or corruption of log data can impact the integrity and reliability of logs, which are critical for auditing, monitoring, and incident response required by compliance standards like GDPR and HIPAA.
Therefore, this vulnerability may hinder an organization's ability to maintain accurate and complete logs, potentially affecting compliance with regulations that mandate secure and reliable logging practices.
Upgrading to Apache Log4j Core 2.25.4, which sanitizes forbidden characters and ensures well-formed XML logs, is advised to mitigate these risks and support compliance requirements.