PT-2026-31939 · Apache · Log4J Core

Danish Siddiqui

Published

2026-04-10

Updated

2026-05-15

CVE-2026-34477

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions Apache Log4j Core versions 2.12.0 through 2.25.3

Description A flaw exists where hostname verification is ignored when configured through the verifyHostName attribute of the '' element. This occurs even if the attribute is explicitly set, leaving TLS connections susceptible to interception. A network-based attacker could perform a man-in-the-middle attack if an SMTP, Socket, or Syslog appender is used, TLS is configured via a nested '' element, and the attacker possesses a certificate issued by a CA trusted by the configured or default Java trust store.

Recommendations Upgrade to Apache Log4j Core 2.25.4.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-297

Related Identifiers

CVE-2026-34477

GHSA-6HG6-V5C8-FPHQ

OPENSUSE-SU-2026:10544-1

Affected Products

Log4J Core

PT-2026-31939 · Apache · Log4J Core

CVE-2026-34477

Weakness Enumeration

Related Identifiers

Affected Products

References · 19