CVE-2026-34477
Severity
6.3MEDIUM
EPSS
0.1%
top 70.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 10
Latest updateApr 13
Description
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the element.
Although the verifyHostNa…
CVSS vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
Affected Packages2 packages
🔴Vulnerability Details
3CVEList▶
Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass↗2026-04-10
📋Vendor Advisories
1Red Hat▶
org.apache.logging.log4j/log4j-core: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification↗2026-04-10
💬Community
7Bugzilla▶
CVE-2026-34477 apache-commons-configuration: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34477 resteasy: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34477 ceph: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34477 log4j: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34477 cldr-emoji-annotation: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification [fedora-all]↗2026-04-13