Skip to main content

Apache Log4j API CVE-2026-49844

| EUVDEUVD-2026-43102 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-07-10 apache GHSA-qv9r-c865-cp47
6.3
CVSS 4.0 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.0 MEDIUM

AC:H reflects two mandatory non-default conditions; scope changed (S:C) because impact falls on downstream log systems, not the vulnerable application itself.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 22:12 vuln.today
CVE Published
Jul 10, 2026 - 21:14 cve.org
MEDIUM 6.3

DescriptionCVE.org

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0.

The fix for CVE-2026-34481 did not cover all code paths: when a MapMessage contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), MapMessage.asJson() emits the corresponding bare token. RFC 8259 does not permit these tokens, so a conformant parser rejects the resulting document.

The defect is reachable only when both of the following conditions hold:

  • The application uses the message resolver https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message of JsonTemplateLayout or any other layout that relies on MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}).
  • The application logs a MapMessage that contains an attacker-controlled floating-point value.

An attacker who can supply a non-finite value can cause the affected layout to emit malformed JSON, which may corrupt the enclosing log record or disrupt downstream log ingestion and parsing.

Users are advised to upgrade to Apache Log4j API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant JSON for non-finite values.

AnalysisAI

Malformed JSON output in Apache Log4j API versions 2.13.1-2.25.4 and 2.26.0 allows a remote attacker who can inject non-finite floating-point values (NaN, Infinity, -Infinity) into a logged MapMessage to corrupt downstream log records and disrupt log ingestion pipelines. This is an incomplete fix follow-on to CVE-2026-34481: the prior patch left code paths in MapMessage.asJson() and MapMessage.getFormattedMessage(["JSON"]) that still emit bare IEEE 754 non-finite tokens prohibited by RFC 8259. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker injects NaN/Infinity into application input
Delivery
Application constructs MapMessage with float value
Exploit
JsonTemplateLayout message resolver invokes MapMessage.asJson()
Execution
Bare non-finite token emitted in JSON output
Persist
Log record fails RFC 8259 parsing
Impact
Downstream SIEM/aggregator drops or corrupts log event

Vulnerability AssessmentAI

Exploitation Exploitation requires both of the following conditions to be simultaneously true: (1) the application must be configured to use JsonTemplateLayout with the message resolver, or any layout that internally calls MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}) - this is not the default Log4j layout and requires explicit configuration; and (2) the attacker must be able to supply a non-finite IEEE 754 value (NaN, Infinity, or -Infinity) that the application places into a MapMessage key-value entry and subsequently logs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) reflects a network-reachable flaw requiring no authentication, but constrained by a partial attack target (AT:P) and producing only low subsequent-system integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted HTTP request or API payload to a Java application that logs request fields as a MapMessage with JsonTemplateLayout enabled. The payload contains a floating-point field set to NaN or Infinity - valid at the application layer. …
Remediation Upgrade to Apache Log4j API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant representations for non-finite floating-point values. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49844 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy