CVE-2026-34479: Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters
(updated )
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.
Two groups of users are affected:
- Those using
Log4j1XmlLayoutdirectly in a Log4j Core 2 configuration file. - Those using the Log4j 1 configuration compatibility layer with
org.apache.log4j.xml.XMLLayoutspecified as the layout class.
Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.
[!NOTE] The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide, and specifically the section on eliminating reliance on the bridge.
References
- github.com/advisories/GHSA-h383-gmxw-35v2
- github.com/apache/logging-log4j2
- github.com/apache/logging-log4j2/pull/4078
- lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
- logging.apache.org/cyclonedx/vdr.xml
- logging.apache.org/log4j/2.x/migrate-from-log4j1.html
- logging.apache.org/security.html
- nvd.nist.gov/vuln/detail/CVE-2026-34479
Code Behaviors & Features
Detect and mitigate CVE-2026-34479 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →