DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1225: XML Ghosts in the Machine: Configuring Your Way to RCE in Logback

#security #cve #cybersecurity

XML Ghosts in the Machine: Configuring Your Way to RCE in Logback

Vulnerability ID: CVE-2026-1225
CVSS Score: 1.8
Published: 2026-01-22

A logic flaw in the Joran configuration engine within Logback-core allows attackers with write access to configuration files to instantiate arbitrary classes via reflection, leading to code execution.

TL;DR

If an attacker can modify your logback.xml, they can trick the Joran engine into treating a non-existent appender reference as a fully qualified class name. Logback will then helpfully instantiate that class via reflection. While the CVSS is low due to the prerequisite of file write access, it serves as a powerful persistence or privilege escalation vector.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-470
  • Attack Vector: Local (File Write)
  • CVSS v4.0: 1.8 (Low)
  • Impact: Arbitrary Code Execution
  • Privileges Required: High (Write Access)
  • Exploit Status: Poc / Theoretical

Affected Systems

  • Java applications using Logback-core for logging
  • Spring Boot applications (default logging implementation)
  • Systems using Joran configuration engine
  • Logback-core: < 1.5.25 (Fixed in: 1.5.25)

Code Analysis

Commit: 1f97ae1

Enforce appender declaration in Joran configuration to prevent arbitrary class instantiation

@@ -1,5 +1,6 @@
+ // New check in AppenderRefModelHandler
+ if (!isAppenderDeclared(mic, appenderName)) {
+     addWarn("Appender named [" + appenderName + "] not declared. Skipping attachment.");
+     return;
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Restrict filesystem permissions on configuration files (logback.xml)
  • Disable Logback configuration scanning (auto-reload)
  • Implement File Integrity Monitoring (FIM) for config files
  • Remove unused classes from the classpath to reduce gadget availability

Remediation Steps:

  1. Update ch.qos.logback:logback-core to version 1.5.25 or later.
  2. Verify the update by checking dependency trees: mvn dependency:tree or gradle dependencies.
  3. Restart the application to ensure the new Joran logic is active.

References

Read the full report for CVE-2026-1225 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)