CVE-2026-10532 - Vulnerability Details

- Logback deserialization whitelist bypass for Proxy objects

Description

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection, albeit heavily restricted.

More precisely, an attacker able to influence serialized data sent to
SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects.

Although deserialization is heavily restricted by HardenedObjectInputStream and no
practical way to achieve remote code execution or significant privilege
escalation has been identified, this issue constitutes a bypass of the
intended security restrictions.

This issue affects logback: through 1.5.33 inclusive.

Published: 2026-06-01

Score: 2.9 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in logback’s HardenedObjectInputStream, which is designed to tightly restrict the classes that may be deserialized. An attacker who can supply crafted serialized data to the SimpleSocketServer or SimpleSSLSocketServer can create Proxy objects that bypass this whitelist. This flaw is a deserialization weakness (CWE‑502) and, according to the vendor and available evidence, does not currently lead to remote code execution or major privilege escalation, but it does allow malicious objects to be instantiated within the application’s runtime.

Affected Systems

The issue affects QOS.CH Sarl logback logback-core up to and including version 1.5.33; any installation using 1.5.33 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 2.9 classifies the problem as low risk, and the absence of an EPSS score and of a KEV listing suggest that there are no known widespread exploits. The required conditions for exploitation imply that an attacker must be able to supply arbitrary serialized data to an exposed logback socket, a remote attack vector. While no functional path to remote code execution has been identified, the ability to instantiate Proxy objects may serve as a foothold in more complex attack scenarios.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

QOS.CH Sarl

logback

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.5.33
`1.5.34`	unaffected	—

No data.

No data available yet.

Remediation

Vendor Solution

Upgrade to logback version 1.5.34.

OpenCVE Recommended Actions

Upgrade logback to version 1.5.34 or later
Restrict or eliminate the use of SimpleSocketServer and SimpleSSLSocketServer for untrusted data by securing the network endpoints or disabling the sockets when possible
Configure the deserialization filter to reject Proxy.class or otherwise tighten the class whitelist if upgrading is not immediately feasible

Generated by OpenCVE AI on June 1, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://logback.qos.ch/news.html#1.5.34

History

Mon, 01 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 13:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.33 inclusive.
Title		Logback deserialization whitelist bypass for Proxy objects
Weaknesses		CWE-502
References		https://logback.qos.ch/news.html#1.5.34
Metrics		cvssV4_0 `{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:M/U:Green'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2026-06-01T11:30:47.894Z

Updated: 2026-06-01T13:56:21.654Z

Reserved: 2026-06-01T11:26:04.379Z

Link: CVE-2026-10532

Vulnrichment

Updated: 2026-06-01T13:56:18.213Z

NVD

Status : Received

Published: 2026-06-01T13:16:30.340

Modified: 2026-06-01T13:16:30.340

Link: CVE-2026-10532

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T14:45:26Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object