Skip to content

Update log4j2 to 2.26.0 to address CVE-2026-49844#400

Merged
laffer1 merged 2 commits into
masterfrom
copilot/fix-cve-2026-49844-log4j
Jul 12, 2026
Merged

Update log4j2 to 2.26.0 to address CVE-2026-49844#400
laffer1 merged 2 commits into
masterfrom
copilot/fix-cve-2026-49844-log4j

Conversation

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

CVE-2026-49844 (Medium) was detected in log4j-api-2.24.3.jar, pulled in as a transitive dependency via Spring Boot's BOM.

Changes

  • Added log4j2.version property override in pom.xml to pin log4j to 2.26.0, superseding the Spring Boot-managed default of 2.24.3
<properties>
    ...
    <log4j2.version>2.26.0</log4j2.version>
</properties>

This upgrades all log4j artifacts (log4j-api, log4j-to-slf4j) to 2.26.0 using the standard Spring Boot version override mechanism.

@laffer1

laffer1 commented Jul 12, 2026

Copy link
Copy Markdown
Member

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI changed the title [WIP] Fix CVE-2026-49844 vulnerability in log4j-api Update log4j2 to 2.26.0 to address CVE-2026-49844 Jul 12, 2026
Copilot AI requested a review from laffer1 July 12, 2026 19:11
@sonarqubecloud

Copy link
Copy Markdown

@laffer1 laffer1 marked this pull request as ready for review July 12, 2026 19:16
Copilot AI review requested due to automatic review settings July 12, 2026 19:16
@laffer1 laffer1 merged commit a864b84 into master Jul 12, 2026
12 checks passed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins Log4j2 to a newer version via the Spring Boot parent property override mechanism to remediate a reported transitive CVE finding.

Changes:

  • Added a log4j2.version property override in pom.xml to force Log4j2 artifacts to 2.26.0 (overriding the Spring Boot-managed version).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CVE-2026-49844 (Medium) detected in log4j-api-2.24.3.jar

3 participants