diff --git a/sdks/java/io/expansion-service/build.gradle b/sdks/java/io/expansion-service/build.gradle
index dbd6e279846b..be9e3704e6c2 100644
--- a/sdks/java/io/expansion-service/build.gradle
+++ b/sdks/java/io/expansion-service/build.gradle
@@ -50,10 +50,9 @@ configurations.runtimeClasspath {
     }
   }
 
-  // Pin logback to 1.5.20
-  // Cannot upgrade to io modules due to logback 1.4.x dropped Java 8 support
-  resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.20"
-  resolutionStrategy.force "ch.qos.logback:logback-core:1.5.20"
+  // Pin logback to 1.5.27 to resolve CVE-2026-1225
+  resolutionStrategy.force "ch.qos.logback:logback-classic:1.5.27"
+  resolutionStrategy.force "ch.qos.logback:logback-core:1.5.27"
 }
 
 shadowJar {