Description
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.




The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a
configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Published: 2026-01-22
Score: 1.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in logback-core’s handling of logback.xml files. An attacker who can write to an existing configuration file can embed an instance declaration of any class that is already present on the Java classpath. When the offending file is processed, the class is instantiated. If the attacker chooses a malicious class, this step can lead to code execution. The weakness falls under unvalidated input and memory safety, corresponding to CWE‑20. The instance is typically discarded after instantiation, but the mere ability to create arbitrary objects on the classpath is a potential exploitation vector for more persistent attacks.

Affected Systems

QOS.CH Sarl’s Logback‑core library is affected. Any Java application that includes logback‑core version 1.5.24 or earlier is vulnerable. The CVE references the core module (logback‑core) and does not affect other Logback components. No specific operating system or deployment platform is mentioned; the issue arises wherever the vulnerable library is used.

Risk and Exploitability

Scores reflect a low severity: CVSS base of 1.8 and an EPSS score lower than 1 %. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to modify a configuration file that is readable and writable by them, typically a local or compromised privilege scenario. The exposure surface is limited to Java applications that ship with or load an editable logback‑xml file. Because the instance is often discarded immediately, the risk of persistence is low, but the ability to create arbitrary classes remains an attack path that could be leveraged if the chosen class performs harmful operations.

Generated by OpenCVE AI on April 18, 2026 at 03:50 UTC.

Remediation

Vendor Solution

Update to logback version 1.5.25 or later.

OpenCVE Recommended Actions

  • Update logback-core to version 1.5.25 or newer as recommended by the vendor.
  • Restrict write permissions on logback configuration files so that only trusted processes or users can modify them.
  • If migration is delayed, monitor for changes to logback.xml files and verify their integrity using checksums or hashing techniques.

Generated by OpenCVE AI on April 18, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qqpg-mvqg-649v Logback allows an attacker to instantiate classes already present on the class path
History

Wed, 28 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L'}

threat_severity

Moderate

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Qos
Qos logback
Vendors & Products Qos
Qos logback

Thu, 22 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
Title Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino Malicious logback.xml configuration file allows instantiation of arbitrary classes

Thu, 22 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Title Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 1.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/RE:M/U:Green'}

Subscriptions

Qos Logback
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-01-22T14:14:17.842Z

Reserved: 2026-01-20T12:29:25.357Z

Link: CVE-2026-1225

cve-icon Vulnrichment

Updated: 2026-01-22T14:14:14.793Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T10:16:07.693

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1225

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-22T09:24:14Z

Links: CVE-2026-1225 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses