<Vulnerability name="CVE-2026-13006">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-24T05:41:32</PublicDate>
    <Bugzilla id="2492077" url="https://bugzilla.redhat.com/show_bug.cgi?id=2492077" xml:lang="en:us">
logback-core: Logback-core: Arbitrary Code Execution via Malicious Configuration or Environment Variable
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.0</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-94</CWE>
    <Details xml:lang="en:us" source="Mitre">
ACE vulnerability in conditional configuration file processing  by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.



A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a 
configuration file. Alternatively, the attacker could inject a malicious 
environment variable pointing to a malicious configuration file. In both 
cases, the attack requires existing privilege.

Please note that in logack version 1.5.37 conditional processing using Janino was removed.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in logback-core, a logging framework for Java applications. This vulnerability allows an attacker with existing privileges and write access to a configuration file, or the ability to inject a malicious environment variable, to execute arbitrary code. This can be achieved by compromising an existing logback configuration file or by injecting an environment variable before program execution, circumventing existing protections. A successful attack requires the Janino library to be present on the user's class path.
    </Details>
    <PackageState cpe="cpe:/a:redhat:migration_toolkit_applications:8">
        <ProductName>Migration Toolkit for Applications 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>mta/mta-cli-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:migration_toolkit_applications:8">
        <ProductName>Migration Toolkit for Applications 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>mta/mta-java-external-provider-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-serverless-1/kn-ekb-dispatcher-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:serverless:1">
        <ProductName>OpenShift Serverless</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openshift-serverless-1/kn-ekb-receiver-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_clients:2023">
        <ProductName>Red Hat AMQ Clients</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:camel_spring_boot:4">
        <ProductName>Red Hat build of Apache Camel for Spring Boot 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:apache_camel_hawtio:4">
        <ProductName>Red Hat build of Apache Camel - HawtIO 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:debezium:3">
        <ProductName>Red Hat build of Debezium 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>slf4j</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>log4j:2/log4j</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>maven:3.8/slf4j</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>maven:3.9/slf4j</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>slf4j</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_fuse:7">
        <ProductName>Red Hat Fuse 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:7">
        <ProductName>Red Hat JBoss Enterprise Application Platform 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_application_platform:8">
        <ProductName>Red Hat JBoss Enterprise Application Platform 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jbosseapxp">
        <ProductName>Red Hat JBoss Enterprise Application Platform Expansion Pack</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_enterprise_web_server:6">
        <ProductName>Red Hat JBoss Web Server 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>devspaces/openvsx-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>devspaces/pluginregistry-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>devspaces/server-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>candlepin</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>openvox-server</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>puppetserver</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>satellite:el8/candlepin</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>satellite:el8/puppetserver</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_single_sign_on:7">
        <ProductName>Red Hat Single Sign-On 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:2">
        <ProductName>streams for Apache Kafka 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_streams:3">
        <ProductName>streams for Apache Kafka 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>logback-core</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-13006
https://nvd.nist.gov/vuln/detail/CVE-2026-13006
https://logback.qos.ch/news.html#1.5.35
    </References>
</Vulnerability>