Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 30 maven packages depend on org.apache.syncope.core:syncope-core-spring (4 direct, 26 indirect)
Ecosystem-wide dependent count for version 3.0.0-M0.
DescriptionCVE.org
Improper Isolation or Compartmentalization vulnerability in Apache Syncope.
An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.
AnalysisAI
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a high-privileged administrator holding Implementations entitlements to run untrusted code outside the sandbox. By placing payload logic in a Groovy class static initializer, the attacker reaches a non-sandboxed execution path, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 6th percentile), consistent with a privilege-gated, not mass-scanned, issue.
Technical ContextAI
Apache Syncope is an open-source identity governance and administration (IGA) platform for managing identities, accounts, and provisioning across connected systems. Its Implementations feature lets administrators supply custom logic - including Groovy scripts - that Syncope compiles and executes to extend behavior such as provisioning and propagation. To contain this, Syncope runs Groovy under a sandbox that restricts dangerous operations. The root cause is CWE-653 (Improper Isolation or Compartmentalization): the sandbox failed to cover the Groovy class static initializer block, so code placed there executed without the intended restrictions. CPE confirms the affected product as cpe:2.3:a:apache_software_foundation:apache_syncope. The fix in 4.0.6 / 4.1.1 extends sandbox enforcement to static initializers as well.
RemediationAI
Vendor-released patch: 4.0.6 / 4.1.1 - upgrade the 4.0.x branch to 4.0.6 and the 4.1.x branch to 4.1.1, which force Groovy static initializers to execute inside the sandbox; 3.0.x users should plan a migration to a fixed 4.x release as no fixed 3.0.x version is listed. Until patched, the most effective compensating control is to minimize who can author Implementations: audit and revoke the Implementations entitlement from all but a tightly controlled set of trusted administrators (trade-off: legitimate admins lose the ability to create/update custom Groovy logic until restored). Additionally, enforce strong authentication and monitoring on admin accounts and review existing Implementations for unexpected or recently added Groovy classes, since exploitation requires an authenticated privileged admin. Consult the Apache advisory at https://lists.apache.org/thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r for full details.
Same weakness CWE-653 – Improper Isolation or Compartmentalization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31696
GHSA-gq7g-vg2q-jvq3