Apache Log4j Core XmlLayout Vulnerability CVE-2026-34480 Allows Invalid XML Output

A medium-severity vulnerability has been identified in Apache Log4j Core's XmlLayout component, affecting versions up to and including 2.25.3. The flaw centers on insufficient sanitization of characters prohibited by the XML 1.0 specification, according to a GitHub Issues report referencing commit 4f5014229825d8be977662e0743205bb8a67f989. When log messages or MDC (Mapped Diagnostic Context) values contain characters forbidden under XML 1.0 standards, the XmlLayout produces invalid XML output, creating potential downstream processing failures depending on the StAX implementation in use.

The vulnerability, tracked as CVE-2026-34480, poses varying risk levels based on the StAX parser deployed in affected systems. The GitHub report indicates that with JRE built-in StAX implementations, forbidden characters may be silently written to output, potentially bypassing validation checks. This behavior could expose applications to parsing errors, data corruption, or processing interruptions when XML-consuming downstream services attempt to handle the malformed output.

Organizations relying on log4j-core versions through 2.25.3 with active XmlLayout configurations should evaluate their StAX dependencies and assess whether log messages or structured diagnostic data could contain characters triggering XML 1.0 violations. The vulnerable library log4j-core-2.8.2.jar was detected in the scanned codebase, though the report notes that any version up to 2.25.3 carries the same XmlLayout deficiency. Security teams are advised to monitor the Apache Logging Services project for patches addressing this character sanitization gap in XmlLayout.