CVE-2026-1225

medium Red Hat
CVSS v3 Base Score
5.0
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
EPSS Score
0.0%
Exploitation probability in 30 days
Top 98% most likely to be exploited
Attack Characteristics
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Confidentiality
Low
Integrity
Low
Availability
Low
Published: January 22, 2026 (112 days ago)
Last Modified: January 22, 2026
Vendor: Red Hat

Description

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

CWE

CWE-20

Affected Products

AMQ ClientsLogging Subsystem for Red Hat OpenShiftOpenShift ServerlessRed Hat AMQ Broker 7Red Hat build of Apache Camel for Spring Boot 4Red Hat build of Apache Camel - HawtIO 4Red Hat build of Debezium 2Red Hat build of Debezium 3Red Hat build of OptaPlanner 8Red Hat Data Grid 8

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 logback.qos.ch