CVE-2026-34478: Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
Published Apr 10, 2026
·Updated
Apache Log4j Core's Rfc5424Layout
Affected Software
6 affected components
Apache Log4j Core>=2.21.0<=2.25.3
Apache Log4j>=2.21.0<2.25.4
Apache Log4j=3.0.0-beta1
Apache Log4j=3.0.0-beta2
Apache Log4j=3.0.0-beta3
IBM watsonx.data<=2.2- 2.3.1
Remediation
Patch Available
Event History
Apr 10, 2026
CVE Published
via MITRE·03:40 PM
Data Sourced
via MITRE·03:40 PM
DescriptionWeakness
Data Sourced
via NVD·04:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
May 9, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-34478?
CVE-2026-34478 has been rated as a medium severity vulnerability due to the risk of log injection impacting the integrity of log files.
2
How do I fix CVE-2026-34478?
To fix CVE-2026-34478, upgrade to Apache Log4j Core version 2.25.4 or later, which addresses the log injection vulnerability.
3
What versions of Apache Log4j Core are affected by CVE-2026-34478?
CVE-2026-34478 affects Apache Log4j Core versions from 2.21.0 to 2.25.3.
4
What kind of attacks can be executed using CVE-2026-34478?
CVE-2026-34478 allows attackers to perform log injection attacks, leading to potential information disclosure or unauthorized command execution.
5
Is CVE-2026-34478 a concern for all users of Apache Log4j Core?
Yes, all users of Apache Log4j Core in the affected versions should be concerned and take immediate steps to mitigate the vulnerability.