View all Vulnerabilities

CVE-2026-34483

Content Spoofing
Affects
Apache Tomcat
in
Apache Tomcat
No items found.
Versions
>=8.5.84 <=8.5.100, >=9.0.40 <=9.0.116, >=10.1.0-M1 <=10.1.53, >=11.0.0-M1 <=11.0.20
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Tomcat is an open-source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication specifications, providing a pure Java HTTP web server environment for running Java code. It is one of the most widely used Java application servers.

A low-severity vulnerability (CVE-2026-34483) has been identified in the JsonAccessLogValve component of Apache Tomcat. Incomplete escaping of request URI and query string values when writing JSON-formatted access logs allows injection of arbitrary JSON content. This is exploitable when the Connector attributes relaxedPathChars and/or relaxedQueryChars are set to non-default values.

Per OWASP: Content Spoofing (also known as content injection) is an attack technique used to trick a user into believing certain content appearing on a website is legitimate and not from an external source. In this case, an attacker can inject arbitrary JSON structures into access log files, potentially misleading log analysis tools or masking malicious activity.

This issue affects versions 8.5.84 through 8.5.100, 9.0.40 through 9.0.116, 10.1.0-M1 through 10.1.53, and 11.0.0-M1 through 11.0.20 of Apache Tomcat.

Details

Module Info

Vulnerability Info

The vulnerability exists in AbstractAccessLogValve.java, which is the base class for access log implementations including JsonAccessLogValve. The class has an escapeAndAppend() method that handles escaping of special characters (backslashes, double quotes, control characters, and characters above 127) for JSON output. This method was already used for other log fields such as headers, cookies, attributes, and remote user.

However, the request URI and query string fields were written directly using buf.append() without escaping:

// Vulnerable code in RequestElement (%r pattern):
buf.append(request.getRequestURI());
buf.append(request.getQueryString());

// Vulnerable code in QueryElement (%q pattern):
buf.append(query);

// Vulnerable code in RequestURIElement (%U pattern):
buf.append(request.getRequestURI());

When relaxedPathChars and/or relaxedQueryChars are configured on the Connector to allow characters like {, }, ", and others that are normally rejected, an attacker can craft URLs containing these characters. Since the values are not escaped before being written to the JSON log, the attacker can inject arbitrary JSON structures into the log output.

The fix changes all four locations to use escapeAndAppend() instead of buf.append(), ensuring proper escaping of special characters in the URI and query string fields.

The JsonAccessLogValve was first introduced in Tomcat 8.5.88. The broader affected range (8.5.84+) accounts for the underlying escaping gap in AbstractAccessLogValve.

Steps To Reproduce

To exploit this vulnerability, the Tomcat instance must be configured with JsonAccessLogValve and have relaxedPathChars or relaxedQueryChars set on the Connector. An attacker sends a request with JSON-breaking characters in the URI:

GET /app/%7B%22injected%22:%22value%22%7D HTTP/1.1
Host: vulnerable-app.example.com

When relaxedPathChars includes { and }, the decoded URI {"injected":"value"} is written directly into the JSON access log without escaping, resulting in malformed JSON output that can mislead log analysis tools or inject false log entries.

Mitigation

Only recent versions of Apache Tomcat are community-supported. Older versions (8.5.x and earlier) will not receive any updates to address this issue. NES for Tomcat includes an update to 8.5.x to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Apache Tomcat.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Bartlomiej Dmitruk from striga.ai (finder)
Pink arrow
Pink arrow
Tomcat logo
CVE-2024-34750
Tomcat logo
CVE-2024-38286
Tomcat logo
CVE-2024-50379
Tomcat logo
CVE-2024-52316
Tomcat logo
CVE-2024-52317
Tomcat logo
CVE-2024-54677
Tomcat logo
CVE-2024-56337
Tomcat logo
CVE-2025-31650
Tomcat logo
CVE-2025-48988
Tomcat logo
CVE-2025-49124
Tomcat logo
CVE-2025-49125
Tomcat logo
CVE-2025-52434
Tomcat logo
CVE-2025-52520
Tomcat logo
CVE-2025-53506
Tomcat logo
CVE-2025-24813
Tomcat logo
CVE-2025-31651
Tomcat logo
CVE-2025-46701
Tomcat logo
CVE-2025-55752
Tomcat logo
CVE-2025-61795
Tomcat logo
CVE-2025-55754
Tomcat logo
CVE-2025-66614
Tomcat logo
CVE-2026-24733
Tomcat logo
CVE-2026-24880
Tomcat logo
CVE-2026-25854
Tomcat logo
CVE-2026-29146
Tomcat logo
CVE-2026-32990
Tomcat logo
CVE-2026-34483
Tomcat logo
CVE-2026-34486
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-34483
PROJECT Affected
Apache Tomcat
Versions Affected
>=8.5.84 <=8.5.100, >=9.0.40 <=9.0.116, >=10.1.0-M1 <=10.1.53, >=11.0.0-M1 <=11.0.20
NES Versions Affected
Published date
April 13, 2026
≈ Fix date
April 9, 2026
Fixed in
NES for Apache Tomcat
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Tomcat
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.