CVE-2026-1225

medium

Red Hat

CVSS v3 Base Score

5.0

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

Published: January 22, 2026

Last Modified: January 22, 2026

Vendor: Red Hat

Description

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

CWE

CWE-20

Affected Products

AMQ ClientsLogging Subsystem for Red Hat OpenShiftOpenShift ServerlessRed Hat AMQ Broker 7Red Hat build of Apache Camel for Spring Boot 4Red Hat build of Apache Camel - HawtIO 4Red Hat build of Debezium 2Red Hat build of Debezium 3Red Hat build of OptaPlanner 8Red Hat Data Grid 8

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 logback.qos.ch

CVE-2026-1225

Vulnerability Report

Description

CWE

Affected Products

References