CVE-2026-1225

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

CVSS

No CVSS.

References

Link	Resource
https://logback.qos.ch/news.html#1.5.25

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad ACE en el procesamiento de archivos de configuración por QOS.CH logback-core hasta la versión 1.5.24 inclusive en aplicaciones Java, permite a un atacante instanciar clases ya presentes en el classpath comprometiendo un archivo de configuración de logback existente. La instanciación de una clase Java potencialmente maliciosa requiere que dicha clase esté presente en el classpath del usuario. Además, el atacante debe tener acceso de escritura a un archivo de configuración. Sin embargo, después de una instanciación exitosa, es muy probable que la instancia sea descartada sin más preámbulos.

22 Jan 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-22 10:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-1225

Mitre link : CVE-2026-1225

CVE.ORG link : CVE-2026-1225

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2026-1225", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "vulnerability@ncsc.ch", "cvssData": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.8, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:X/V:X/RE:M/U:Green", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "GREEN", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-22T10:16:07.693", "references": [{"url": "https://logback.qos.ch/news.html#1.5.25", "source": "vulnerability@ncsc.ch"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "vulnerability@ncsc.ch", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\n\n\n\n\nThe instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a \nconfiguration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado."}, {"lang": "es", "value": "Vulnerabilidad ACE en el procesamiento de archivos de configuraci\u00f3n por QOS.CH logback-core hasta la versi\u00f3n 1.5.24 inclusive en aplicaciones Java, permite a un atacante instanciar clases ya presentes en el classpath comprometiendo un archivo de configuraci\u00f3n de logback existente.\n\nLa instanciaci\u00f3n de una clase Java potencialmente maliciosa requiere que dicha clase est\u00e9 presente en el classpath del usuario. Adem\u00e1s, el atacante debe tener acceso de escritura a un archivo de configuraci\u00f3n. Sin embargo, despu\u00e9s de una instanciaci\u00f3n exitosa, es muy probable que la instancia sea descartada sin m\u00e1s pre\u00e1mbulos."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "vulnerability@ncsc.ch"}