Elastic APM Agent - CVE-2026-34480

leoluzh · April 29, 2026, 10:06pm

When running a NeuVector scan, CVE-2026-34480 was found in the elastic-apm-agent artifact (version 1.55.6) for the log4j-core dependency.

Vulnerabilities: 5, HIGH: 1, MEDIUM: 3, LOW: 1, UNKNOWN: 0
File: app/libs/apm-agent-attach-1.55.6.jar:elastic-apm-agent.jar
┌─────────────────────────────────────┬────────────────┬──────────┬─────────┬───────────────┬────────────┐
│ PACKAGE │ VULNERABILITY │ SEVERITY │ VERSION │ FIXED VERSION │ PUBLISHED │
├─────────────────────────────────────┼────────────────┼──────────┼─────────┼───────────────┼────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2026-34480 │ High │ 2.12.4 │ 2.25.4 │ 2026-04-10 │
│ ├────────────────┼──────────┤ ├───────────────┼────────────┤
│ │ CVE-2025-68161 │ Medium │ │ 2.25.3 │ 2025-12-18 │
│ ├────────────────┤ │ ├───────────────┼────────────┤
│ │ CVE-2026-34477 │ │ │ 2.25.4 │ 2026-04-10 │
└─────────────────────────────────────┴────────────────┴──────────┴─────────┴───────────────┴────────────┘

MichelLaterman · April 30, 2026, 9:43pm

Hi, this is for the APM agent; which is a different product then the elastic-agent

Topic		Replies	Views
Elastic-apm-agent-1.33.0.jar flagged by security scan APM java	5	521	March 24, 2023
CVE-2021-45105 and CVE-2020-9488 vulnerabilities with java apm agent 1.28.4 APM java	4	1736	February 9, 2022
Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31 Security Announcements	7	352781	November 4, 2022
Log4J version in apm-agent APM java	3	275	February 4, 2025
Removal of packages from the tar file due to vulnerability (log4j) Elasticsearch docker	6	237	January 5, 2024

Elastic APM Agent - CVE-2026-34480

Related topics