Description
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
Published: 2026-04-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Log injection causing information disclosure and log tampering
Action: Apply patch
AI Analysis

Impact

Improper encoding or escaping of JSON access logs in the JsonAccessLogValve component of Apache Tomcat allows attackers to inject malicious payloads into log entries. Because the log output is not sanitized, crafted HTTP requests can produce log entries containing hidden or false data, potentially leading to information disclosure and making it difficult to detect real log entries. The flaw aligns with CWE‑116, where unchecked output is written without proper encoding.

Affected Systems

Affected products are Apache Tomcat versions 9.0.40 through 9.0.116, 10.1.0‑M1 through 10.1.53, and 11.0.0‑M1 through 11.0.20. All these releases are part of the Apache Software Foundation’s Tomcat distribution. Users of these versions are advised to upgrade to 9.0.117, 10.1.54, or 11.0.21, which contain the fix.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unknown, and the vulnerability is not listed in the KEV catalog. Based on the description, the likely attack vector is through HTTP traffic that the server logs; an adversary can send requests that are logged with malicious content to corrupt the log file or reveal sensitive information. The overall risk is moderate but could aid in covert operations by tampering logs; therefore, patching is recommended.

Generated by OpenCVE AI on April 9, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to version 9.0.117 or newer, 10.1.54 or newer, or 11.0.21 or newer.
  • If a patch cannot be applied immediately, disable or remove the JsonAccessLogValve component to stop logging in JSON format.
  • Review existing log files for anomalies and ensure logs are sourced from trusted inputs.
  • Consider configuring alternative log sanitization to prevent log injection.

Generated by OpenCVE AI on April 9, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rv64-5gf8-9qq8 Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve
History

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-838
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Low

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Fri, 10 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
Title Apache Tomcat: Incomplete escaping of JSON access logs
Weaknesses CWE-116
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T20:17:38.858Z

Reserved: 2026-03-30T07:40:44.705Z

Link: CVE-2026-34483

cve-icon Vulnrichment

Updated: 2026-04-10T20:15:20.161Z

cve-icon NVD

Status : Received

Published: 2026-04-09T20:16:24.937

Modified: 2026-04-10T21:16:24.760

Link: CVE-2026-34483

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-09T19:30:28Z

Links: CVE-2026-34483 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:34Z

Weaknesses