CVE-2026-34483 Overview
CVE-2026-34483 is an Improper Encoding or Escaping of Output vulnerability (CWE-116) affecting the JsonAccessLogValve component of Apache Tomcat. This vulnerability arises from inadequate output encoding or escaping when processing log entries, potentially allowing attackers to inject malicious content into JSON-formatted access logs.
The JsonAccessLogValve component is responsible for generating access logs in JSON format. When user-controlled input is written to these logs without proper encoding, it can lead to log injection attacks, manipulation of log data integrity, or downstream exploitation of systems that consume these logs.
Critical Impact
Attackers may inject malicious JSON content into access logs, potentially compromising log integrity, enabling log forging attacks, or exploiting downstream log analysis systems that process these logs.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.20
- Apache Tomcat 10.1.0-M1 through 10.1.53
- Apache Tomcat 9.0.40 through 9.0.116
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-34483 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34483
Vulnerability Analysis
The vulnerability exists within the JsonAccessLogValve component of Apache Tomcat, which is designed to write access log entries in JSON format. The core issue stems from improper encoding or escaping of output data when constructing JSON log entries.
When HTTP request data (such as request paths, query parameters, user-agent strings, or other header values) is written to the access log, the JsonAccessLogValve fails to properly escape special JSON characters. This creates an opportunity for attackers to craft malicious requests containing JSON control characters that, when logged, alter the structure of the JSON output.
This type of output encoding vulnerability can have several downstream effects. Log injection attacks can corrupt log data integrity, making forensic analysis unreliable. If log aggregation systems parse these JSON logs, injected payloads could potentially trigger vulnerabilities in those downstream systems. Additionally, attackers may be able to forge log entries or hide malicious activity by manipulating the log structure.
Root Cause
The root cause is insufficient output encoding in the JsonAccessLogValve component. When user-controlled input is incorporated into JSON-formatted log entries, special characters such as quotes ("), backslashes (\), and control characters are not properly escaped according to JSON specification requirements. This allows attackers to break out of JSON string contexts and inject arbitrary JSON structures.
Attack Vector
The attack vector involves sending crafted HTTP requests to an Apache Tomcat server that has the JsonAccessLogValve configured for access logging. An attacker can embed JSON control characters within request components that are logged, such as:
- Request URIs containing special characters
- Query string parameters with embedded JSON syntax
- HTTP headers (User-Agent, Referer, etc.) with malicious payloads
When these requests are processed and logged by the vulnerable JsonAccessLogValve, the improper encoding allows the attacker's payload to corrupt the JSON structure of the log entry. This can result in log injection, where false log entries are created, or log corruption, where legitimate log data becomes unparseable.
The vulnerability mechanism involves the failure to escape JSON-significant characters when writing log values. For detailed technical information, refer to the Apache Mailing List Thread discussing this security issue.
Detection Methods for CVE-2026-34483
Indicators of Compromise
- Malformed or corrupted JSON entries in Tomcat access logs generated by JsonAccessLogValve
- Unexpected JSON structure changes or additional JSON fields appearing in access log entries
- HTTP requests containing unusual characters or JSON syntax in URIs, headers, or query parameters
- Log parsing errors in downstream log aggregation or SIEM systems consuming Tomcat access logs
Detection Strategies
- Monitor for HTTP requests containing JSON control characters (", \, newlines) in logged fields such as request paths, query strings, and headers
- Implement JSON schema validation on access log entries to detect structurally invalid or unexpected log formats
- Configure alerts for log parsing failures in systems consuming JsonAccessLogValve output
- Use SentinelOne Singularity to detect anomalous request patterns targeting Tomcat servers
Monitoring Recommendations
- Enable detailed request logging to capture full request headers and parameters for forensic analysis
- Implement real-time log integrity monitoring for Tomcat access logs
- Configure SIEM correlation rules to detect patterns of log injection attempts
- Monitor Tomcat server behavior for unusual request patterns that may indicate exploitation attempts
How to Mitigate CVE-2026-34483
Immediate Actions Required
- Upgrade Apache Tomcat to version 11.0.21, 10.1.54, or 9.0.117 immediately, as these versions contain the fix for this vulnerability
- Review JsonAccessLogValve configuration and consider temporarily switching to standard AccessLogValve if immediate patching is not possible
- Audit existing JSON access logs for signs of log injection or corruption
- Implement input validation at the application layer to filter malicious characters before they reach logging components
Patch Information
Apache has released fixed versions that address this vulnerability. Users should upgrade to the following patched versions:
| Affected Branch | Fixed Version |
|---|---|
| Apache Tomcat 11.x | 11.0.21 |
| Apache Tomcat 10.1.x | 10.1.54 |
| Apache Tomcat 9.0.x | 9.0.117 |
For additional details and official guidance, consult the Apache Mailing List Thread.
Workarounds
- Switch from JsonAccessLogValve to standard AccessLogValve until patching is completed to avoid JSON encoding issues
- Implement a reverse proxy or WAF rule to sanitize or block requests containing JSON control characters in logged fields
- Configure log rotation and integrity monitoring to quickly detect any log manipulation
- Isolate log processing systems to prevent downstream exploitation if log injection occurs
# Configuration example - Switch to standard AccessLogValve in server.xml
# Replace JsonAccessLogValve configuration with standard AccessLogValve:
# <Valve className="org.apache.catalina.valves.AccessLogValve"
# directory="logs"
# prefix="access_log"
# suffix=".txt"
# pattern="%h %l %u %t "%r" %s %b" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
