Skip to main content

Apache Syncope CVE-2026-42797

| EUVDEUVD-2026-31702 MEDIUM
Exposure of Sensitive Information Through Data Queries (CWE-202)
2026-05-25 apache GHSA-vr35-jm2f-8wg2
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 12:07 vuln.today
CVSS changed
May 26, 2026 - 21:22 NVD
4.9 (MEDIUM)
CVE Published
May 25, 2026 - 15:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 25, 2026 - 15:00 nvd
MEDIUM 4.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 35 maven packages depend on org.apache.syncope.core:syncope-core-provisioning-api (5 direct, 30 indirect)

Ecosystem-wide dependent count for version 3.0.0-M0.

DescriptionCVE.org

Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.

An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.

AnalysisAI

Malicious JEXL expression injection in Apache Syncope's Derived Schema feature enables privileged information disclosure across administrative roles. An administrator holding entitlements over Derived Schemas can embed a crafted JEXL expression that, when evaluated in the context of another administrator's User read operation, exposes security-sensitive User attributes that would not normally be accessible. Affected versions span three release lines (3.0.x through 3.0.16, 4.0.x through 4.0.5, and 4.1.0); no active exploitation is confirmed (no CISA KEV listing) and the EPSS score of 0.02% places this in the 4th percentile for exploitation probability.

Technical ContextAI

Apache Syncope is an open-source Identity Management system (IdM/IAM) built on Java. Derived Schemas in Syncope allow administrators to define computed attributes for users or other entities using JEXL (Java Expression Language) expressions - a powerful scripting capability intended for dynamic attribute derivation. CWE-202 (Exposure of Sensitive Information Through Data Queries) describes the root cause: insufficiently restricted query or expression logic that allows an actor to extract data beyond their intended authorization scope. In this case, JEXL expressions lack adequate sandboxing or allowlist controls, enabling a schema-privileged admin to craft an expression that traverses into security-sensitive User fields when evaluated during a User read operation. The affected CPE is cpe:2.3:a:apache_software_foundation:apache_syncope across the 3.0, 4.0, and 4.1 release branches. The fix (versions 4.0.6 and 4.1.1) addresses this by further restricting which JEXL constructs are permissible in schema definitions.

RemediationAI

Vendor-released patches are available: upgrade Apache Syncope to version 4.0.6 or 4.1.1, which resolve this issue by further restricting permissible JEXL expression definitions in Derived Schema configurations. The Apache advisory is at https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6 and the oss-security disclosure is at http://www.openwall.com/lists/oss-security/2026/05/25/5. For the 3.0.x branch, no patched version is listed in the available intelligence - organizations still on 3.0.x should treat migration to a supported release line as the primary remediation path. If immediate patching is not feasible, a compensating control is to audit and restrict which administrators hold Derived Schemas entitlements, reducing the attack surface to only the most trusted accounts; however, this does not eliminate the underlying JEXL expression evaluation risk and should be treated as a temporary measure only.

Share

CVE-2026-42797 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy