Description
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.



A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Published: 2026-06-24
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in QOS.CH’s Logback core lies in its handling of conditional configuration files. Classified as CWE‑20 (Improper Input Validation), the vulnerability allows an attacker who can write or influence a Logback configuration to embed arbitrary Java code. The embedded code is compiled by the Janino library and executed by the running Java process, bypassing the protections that were introduced for CVE‑2025‑11226 and enabling arbitrary code execution within the application’s security context.

Affected Systems

All Java applications that incorporate QOS.CH Sarl:Logback‑core version 1.5.34 or earlier and are also built with the Janino library on their class path are affected. The vulnerability is exploitable in environments where the attacker has write access to the Logback configuration file or can inject an environment variable that points to a malicious configuration file. Organizations using any publicly released QOS.CH Sarl:Logback‑core 1.5.34 or earlier release are therefore impacted.

Risk and Exploitability

The vulnerability receives a CVSS score of 7, indicating high severity, but the EPSS score is not available, so the probability of exploitation is unknown. The flaw requires the presence of Janino, the ability to write to a configuration file, or to inject a malicious environment variable, and basic privileges on the target system. Because it leads to arbitrary code execution, the risk to confidentiality, integrity, and availability is high. The flaw is not listed in the CISA KEV catalog, but it has been publicly disclosed by the vendor as a serious issue.

Generated by OpenCVE AI on June 24, 2026 at 10:40 UTC.

Remediation

Vendor Solution

Remove Janino from the Java classpath or update to logack version 1.5.35 or later. As of logback 1.5.20, the <condition> element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.

Vendor Workaround

Remove Janino from the Java classpath or update to logack version 1.5.35 or later. As of logback 1.5.20, the <condition> element with a custom PropertyEvaluator offers a recommended alternative to conditionals requiring Janino.

OpenCVE Recommended Actions

  • Upgrade Logback‑core to version 1.5.35 or later.
  • If an upgrade is not possible, remove the Janino library from the application's class path so that the vulnerable code path cannot be exercised.
  • Restrict write access to the Logback configuration file and avoid allowing untrusted users or processes to set environment variables that reference external configuration files; where possible, use the <condition> element with a custom PropertyEvaluator introduced in Logback 1.5.20 to avoid using Janino.

Generated by OpenCVE AI on June 24, 2026 at 10:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://logback.qos.ch/news.html#1.5.35 cve-icon
History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
Title Incomplete protection against CVE-2025-11226
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:N/RE:M/U:Green'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-06-24T12:24:27.699Z

Reserved: 2026-06-23T14:31:36.004Z

Link: CVE-2026-13006

cve-icon Vulnrichment

Updated: 2026-06-24T12:24:24.228Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses
  • CWE-20

    Improper Input Validation