Improper Certificate Validation in Apache Log4j - CVE-2026-34477
Published: April 28, 2026
Vulnerability identifier: #VU128399
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34477
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Log4j
Apache Log4j
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to improper certificate validation in the TLS hostname verification handling of the verifyHostName attribute in Log4j Core SSL configuration when establishing TLS connections for SMTP, Socket, or Syslog appenders. A remote attacker can present a certificate issued by a trusted certificate authority to perform a man-in-the-middle attack.
The issue occurs only when TLS is configured via a nested SSL configuration element, and it does not affect the HTTP appender.
How to mitigate CVE-2026-34477
Install security update from vendor's website.