CVE-2026-10532 LOW

CVE-2026-10532: Logback deserialization whitelist bypass for Proxy objects

Vendor Qos.ch Sarl
Product logback
Weakness CWE-502 · Unsafe deserialization
Published June 1, 2026
Last update June 1, 2026

CVSS base score

2.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:M/U:Green

What the vulnerability does

01Description

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.33 inclusive.

Key dates

02Disclosure timeline

June 1, 2026 CVE published
June 1, 2026 Record updated