Description
Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

An attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.

Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.
Published: 2026-04-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Log event suppression and audit trail impairment
Action: Immediate patch
AI Analysis

Impact

Apache Log4cxx’s XMLLayout fails to escape XML 1.0 forbidden characters in logged data, charting, NDC and MDC keys and values in versions prior to 1.7.0. The resulting invalid XML documents are rejected by conforming parsers, causing log entries to be silently dropped or processed systems to fail to index them. An attacker who can inject or influence logged messages can use this flaw to erase evidence of activity, degrading audit trails and hindering detection of malicious actions.

Affected Systems

Affects Apache Log4cxx, the Brew distribution of Log4cxx and the Conan package of Log4cxx when used in any version earlier than 1.7.0. Users of these libraries should verify the version in use and consider upgrading.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, indicating medium severity, and an EPSS score below 1 %, suggesting a low probability of widespread exploitation. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an attacker’s ability to supply log data that the application records, a condition that may arise from local code execution or from remote inputs that are directly logged. The likely attack vector is via application input that ends up in log messages or contextual data libraries.

Generated by OpenCVE AI on April 14, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Log4cxx to version 1.7.0 or later to eliminate XML layout sanitization issues.

Generated by OpenCVE AI on April 14, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-117
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. An attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity. Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.
Title Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters
First Time appeared Apache
Apache log4cxx
Weaknesses CWE-116
CPEs cpe:2.3:a:apache:log4cxx:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache log4cxx
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Apache Log4cxx
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T17:29:20.009Z

Reserved: 2026-04-08T10:49:51.858Z

Link: CVE-2026-40023

cve-icon Vulnrichment

Updated: 2026-04-10T16:18:23.094Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T16:16:32.600

Modified: 2026-04-21T14:49:42.767

Link: CVE-2026-40023

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-10T15:45:52Z

Links: CVE-2026-40023 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:22Z

Weaknesses