Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2026-34477

Improper Validation of Certificate with Host Mismatch

Published: Apr 10, 2026 | Modified: May 06, 2026
CVSS 3.x
5.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
6.8 MODERATE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-34477
CWEhttps://cwe.mitre.org/data/definitions/297.html

The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the element.

Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.

A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:

  • An SMTP, Socket, or Syslog appender is in use.
  • TLS is configured via a nested element.
  • The attacker can present a certificate issued by a CA trusted by the appenders configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Weakness

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

Affected Software

NameVendorStart VersionEnd Version
Log4jApache2.12.0 (including)2.25.4 (excluding)
Log4jApache3.0.0-alpha1 (including)3.0.0-alpha1 (including)
Log4jApache3.0.0-alpha1_rc1 (including)3.0.0-alpha1_rc1 (including)
Log4jApache3.0.0-alpha1_rc2 (including)3.0.0-alpha1_rc2 (including)
Log4jApache3.0.0-beta1 (including)3.0.0-beta1 (including)
Log4jApache3.0.0-beta2 (including)3.0.0-beta2 (including)
Log4jApache3.0.0-beta3 (including)3.0.0-beta3 (including)
Red Hat Offline Knowledge Portal 1.2.4RedHatoffline-knowledge-portal/rhokp-rhel9:1779996999*
Apache-log4j2Ubuntuesm-infra/xenial*

Extended Description

Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the product is interacting with. In order to ensure data integrity, the certificate must be valid, and it must pertain to the site that is being accessed. Even if the product attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name.

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use