Improper Output Neutralization for Logs Affecting kafka-strimzi-compat-0.45 package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Output Neutralization for Logs vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-MINIMOSLATEST-KAFKASTRIMZICOMPAT045-16078629
- published16 Apr 2026
- disclosed10 Apr 2026
Introduced: 10 Apr 2026
NewCVE-2026-34478 (opens in a new tab)How to fix?
There is no fixed version for Minimos:latest kafka-strimzi-compat-0.45.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kafka-strimzi-compat-0.45 package and not the kafka-strimzi-compat-0.45 package as distributed by Minimos.
See How to fix? for Minimos:latest relevant fixed versions and status.
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.
Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
- The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
- The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.
Users of the SyslogAppender are not affected, as its configuration attributes were not modified.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
References
- https://www.cve.org/CVERecord?id=CVE-2026-34478
- https://github.com/advisories/GHSA-445c-vh5m-36rj
- https://osv.dev/vulnerability/MINI-h4gc-m9jp-2g7j
- https://osv.dev/vulnerability/CVE-2026-34478
- https://github.com/apache/logging-log4j2/pull/4074
- https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout
- https://logging.apache.org/security.html#CVE-2026-34478
- http://www.openwall.com/lists/oss-security/2026/04/10/7