CVE-2026-13006 Overview
CVE-2026-13006 is an arbitrary code execution (ACE) vulnerability in QOS.CH logback-core versions up to and including 1.5.34. The flaw resides in conditional configuration file processing and circumvents existing protections introduced for CVE-2025-11226. An attacker with local privileges can execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable that points to a malicious configuration. Successful exploitation requires the Janino library to be present on the Java application's class path. This issue is tracked under [CWE-20: Improper Input Validation].
Critical Impact
Attackers with write access to a logback configuration file or the ability to set environment variables can achieve arbitrary code execution inside affected Java applications.
Affected Products
- QOS.CH logback-core versions up to and including 1.5.34
- Java applications bundling vulnerable logback-core with the Janino library on the class path
- Fixed in logback1.5.35
Discovery Timeline
- 2026-06-24 - CVE-2026-13006 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-13006
Vulnerability Analysis
The vulnerability stems from how logback-core processes conditional expressions in its XML configuration files. Logback supports <if>, <then>, and <else> constructs that are evaluated at configuration-load time using the Janino Java compiler. When Janino is on the class path, these conditional expressions are compiled and executed as Java code. The fix for CVE-2025-11226 attempted to restrict this behavior, but CVE-2026-13006 demonstrates that the protections can be bypassed under specific conditions involving controlled configuration content or environment variables.
Exploitation does not occur over the network. The attacker must already hold privileges sufficient to modify a configuration file or inject an environment variable into the target process before it starts. Once a malicious configuration is loaded, the embedded Java expression executes in the context of the JVM, granting the attacker arbitrary code execution at the privilege level of the running application.
Root Cause
The root cause is improper input validation ([CWE-20]) in conditional configuration processing. Logback evaluates dynamic content inside configuration files as compiled Java code through Janino, without sufficiently constraining what conditional expressions may contain or where the configuration file may originate. The previous mitigation for CVE-2025-11226 did not account for attacker-controlled configuration paths supplied through environment variables.
Attack Vector
Two local attack paths are documented. First, an attacker with write access to an existing logback configuration file can insert a malicious <if> block whose condition contains Java code executed by Janino at load time. Second, an attacker who can inject an environment variable before program execution can redirect logback to load a malicious configuration file under their control. In both paths, the attacker leverages pre-existing privileges to escalate to arbitrary code execution within the JVM. No user interaction is required once the application restarts or reloads its configuration.
Detection Methods for CVE-2026-13006
Indicators of Compromise
- Unexpected modifications to logback.xml, logback-test.xml, or other logback configuration files on production systems.
- Presence of <if>, <then>, or <else> blocks in configuration files where conditional logic is not expected.
- Environment variables such as logback.configurationFile set to paths outside standard application directories.
- Unexpected child processes spawned by Java applications that load logback during startup.
Detection Strategies
- Inventory all Java applications and identify those bundling logback-core<= 1.5.34 together with the Janino library.
- Perform file integrity monitoring on logback configuration files within application deployment directories.
- Audit process environment variables for Java processes to identify references to non-standard configuration paths.
- Review application startup logs for Janino compilation events triggered by conditional configuration elements.
Monitoring Recommendations
- Log and alert on writes to logback configuration files outside of authorized deployment workflows.
- Monitor JVM child-process creation chains for shells, scripting interpreters, or network utilities spawned from Java parents.
- Correlate environment variable changes with subsequent application restarts to detect injection attempts.
How to Mitigate CVE-2026-13006
Immediate Actions Required
- Upgrade logback-core and related logback artifacts to version 1.5.35 or later across all Java applications.
- Remove the Janino library from the class path of any Java application that does not require conditional configuration processing.
- Restrict filesystem permissions on logback configuration files so only privileged deployment accounts can modify them.
- Audit and lock down which environment variables can be set for service accounts running Java applications.
Patch Information
QOS.CH has addressed the issue in logback 1.5.35. Refer to the Logback Release Notes for upgrade guidance and the complete list of changes.
Workarounds
- Remove the Janino dependency from the application class path to disable conditional configuration evaluation entirely.
- Eliminate <if>, <then>, and <else> blocks from logback configuration files where Janino cannot be removed.
- Enforce strict file permissions and integrity controls so unprivileged users cannot alter configuration files.
- Configure Java service launchers to ignore or sanitize externally supplied logback configuration environment variables.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

