We are aware of a number of recent Apache Log4j CVEs that have been identified against the version of Log4j bundled with the current MESH Java Client (6.3.6).
The following CVEs have been raised by users:
-
CVE-2026-34477
-
CVE-2026-34479
-
CVE-2026-34480
-
CVE-2026-34481
-
CVE-2025-68161
The current MESH Java Client (6.3.6) uses Log4j version 2.17.2.
Current assessment
We have reviewed the CVEs above and, based on the default configuration and intended usage of the MESH Java Client, do not currently believe these vulnerabilities present a material risk to standard MESH client deployments.
Our assessment is as follows:
-
CVE-2026-34477 relates to TLS-based remote logging appenders. The MESH Java Client uses Log4j for local logging only and does not enable remote logging functionality as part of the standard installation or published guidance.
-
CVE-2026-34479 and CVE-2026-34480 relate to XML logging functionality, which is not used by the MESH Java Client.
-
CVE-2026-34481 relates to JSON logging functionality, which is also not used by the MESH Java Client.
-
CVE-2025-68161 similarly relies on remote logging functionality being enabled, which is not part of the default MESH client configuration.
Recommended approach
Users should continue to:
-
run the client in its default configuration
-
avoid enabling remote logging functionality
-
apply standard organisational security controls and endpoint protection practices
Future updates
An internal Jira ticket has been raised to track future Log4j dependency updates within the Java MESH Client:
- MESH-2789
At present we are unable to provide confirmed timescales for a future client release containing updated Log4j dependencies.
If users have further questions or believe they are using non-standard logging configurations, please raise a support ticket with the MESH team.