Skip to main content

Apache Syncope CVE-2026-42782

| EUVDEUVD-2026-31696 HIGH
Improper Isolation or Compartmentalization (CWE-653)
2026-05-25 apache GHSA-gq7g-vg2q-jvq3
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 27, 2026 - 21:07 vuln.today
CVSS changed
May 27, 2026 - 21:07 NVD
7.2 (HIGH)
CVE Published
May 25, 2026 - 14:58 nvd
HIGH 7.2
CVE Published
May 25, 2026 - 14:58 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 30 maven packages depend on org.apache.syncope.core:syncope-core-spring (4 direct, 26 indirect)

Ecosystem-wide dependent count for version 3.0.0-M0.

DescriptionCVE.org

Improper Isolation or Compartmentalization vulnerability in Apache Syncope.

An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.

AnalysisAI

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a high-privileged administrator holding Implementations entitlements to run untrusted code outside the sandbox. By placing payload logic in a Groovy class static initializer, the attacker reaches a non-sandboxed execution path, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 6th percentile), consistent with a privilege-gated, not mass-scanned, issue.

Technical ContextAI

Apache Syncope is an open-source identity governance and administration (IGA) platform for managing identities, accounts, and provisioning across connected systems. Its Implementations feature lets administrators supply custom logic - including Groovy scripts - that Syncope compiles and executes to extend behavior such as provisioning and propagation. To contain this, Syncope runs Groovy under a sandbox that restricts dangerous operations. The root cause is CWE-653 (Improper Isolation or Compartmentalization): the sandbox failed to cover the Groovy class static initializer block, so code placed there executed without the intended restrictions. CPE confirms the affected product as cpe:2.3:a:apache_software_foundation:apache_syncope. The fix in 4.0.6 / 4.1.1 extends sandbox enforcement to static initializers as well.

RemediationAI

Vendor-released patch: 4.0.6 / 4.1.1 - upgrade the 4.0.x branch to 4.0.6 and the 4.1.x branch to 4.1.1, which force Groovy static initializers to execute inside the sandbox; 3.0.x users should plan a migration to a fixed 4.x release as no fixed 3.0.x version is listed. Until patched, the most effective compensating control is to minimize who can author Implementations: audit and revoke the Implementations entitlement from all but a tightly controlled set of trusted administrators (trade-off: legitimate admins lose the ability to create/update custom Groovy logic until restored). Additionally, enforce strong authentication and monitoring on admin accounts and review existing Implementations for unexpected or recently added Groovy classes, since exploitation requires an authenticated privileged admin. Consult the Apache advisory at https://lists.apache.org/thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r for full details.

Share

CVE-2026-42782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy