CVE-2026-34483 Overview
CVE-2026-34483 is an Improper Encoding or Escaping of Output vulnerability [CWE-116] in the JsonAccessLogValve component of Apache Tomcat. The flaw allows attackers to inject content into JSON-formatted access logs by sending crafted request data that is not properly escaped before being written to log output. Downstream log consumers parsing the malformed JSON can be misled or corrupted, undermining log integrity and forensic analysis.
The vulnerability affects Apache Tomcat 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.40 through 9.0.116. Apache has released fixed versions 11.0.21, 10.1.54, and 9.0.117.
Critical Impact
Remote unauthenticated attackers can corrupt JSON access logs, breaking log integrity and degrading the reliability of downstream SIEM and forensic pipelines.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.20
- Apache Tomcat 10.1.0-M1 through 10.1.53
- Apache Tomcat 9.0.40 through 9.0.116
Discovery Timeline
- 2026-04-09 - CVE-2026-34483 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-34483
Vulnerability Analysis
The JsonAccessLogValve writes HTTP request metadata into structured JSON log entries. The component fails to properly encode or escape certain characters before serializing them into JSON output. Attacker-controlled fields such as request headers, URIs, or query parameters can include characters that break JSON syntax or inject additional key-value pairs into the log record.
The confidentiality impact arises because corrupted or attacker-injected log entries can mask malicious activity, mislead incident responders, or poison automated log analysis systems. Because Tomcat is widely deployed as a web tier in front of Java applications, log integrity is a critical security boundary for downstream SIEM ingestion.
Root Cause
The root cause is the failure of JsonAccessLogValve to apply proper JSON escaping to all user-controllable fields before writing them to the access log. Characters such as quotation marks, backslashes, and control characters can terminate a JSON string early or introduce structural elements that change the semantic meaning of the log entry. This maps to [CWE-116] Improper Encoding or Escaping of Output.
Attack Vector
The vulnerability is remotely exploitable over the network without authentication or user interaction. An attacker sends HTTP requests containing crafted characters in headers, the request line, or parameters logged by the valve. When JsonAccessLogValve writes the request to the log, the unescaped characters break the JSON structure or inject forged fields. No special configuration is required beyond enabling the JSON access log valve, which is a documented Tomcat feature.
No public proof-of-concept exploit has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Apache Mailing List Thread and the OpenWall OSS Security Update for vendor technical details.
Detection Methods for CVE-2026-34483
Indicators of Compromise
- JSON access log entries that fail to parse as valid JSON or contain unexpected structural delimiters
- Log records containing unescaped quotation marks, backslashes, or control characters in request fields
- HTTP requests with anomalous headers, URIs, or query strings containing JSON metacharacters
- Duplicate or unexpected keys within a single JSON access log record
Detection Strategies
- Validate access log records against a strict JSON schema during ingestion and alert on parse failures
- Inspect web traffic for inbound requests containing \", \\, or control-character payloads in headers and URIs
- Compare Tomcat version banners against fixed versions 11.0.21, 10.1.54, and 9.0.117 to identify exposed instances
Monitoring Recommendations
- Enable SIEM alerts on malformed JSON entries originating from Tomcat access log sources
- Track the rate of log parse failures over time to detect injection campaigns
- Correlate suspicious header content with downstream application errors to identify exploitation attempts
How to Mitigate CVE-2026-34483
Immediate Actions Required
- Upgrade Apache Tomcat to version 11.0.21, 10.1.54, or 9.0.117 depending on the deployed branch
- Audit running Tomcat instances and inventory which servers have JsonAccessLogValve configured
- Review historical JSON access logs for evidence of malformed entries indicating prior exploitation attempts
Patch Information
The Apache Tomcat project has released patched versions that correctly encode output written by JsonAccessLogValve. Users running affected versions should upgrade to 11.0.21, 10.1.54, or 9.0.117. See the Apache Mailing List Thread for the official advisory.
Workarounds
- Disable JsonAccessLogValve and revert to the standard AccessLogValve until upgrade is feasible
- Place a reverse proxy or web application firewall in front of Tomcat to strip or normalize JSON metacharacters in request fields
- Restrict log ingestion pipelines to treat Tomcat JSON logs as untrusted input and validate structure before downstream processing
# Configuration example - disabling JsonAccessLogValve in server.xml
# Comment out or remove the JsonAccessLogValve entry and substitute the standard valve
# <Valve className="org.apache.catalina.valves.JsonAccessLogValve"
# directory="logs" prefix="localhost_access_log" suffix=".json" />
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log"
suffix=".txt"
pattern="common" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
