Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 35 maven packages depend on org.apache.syncope.core:syncope-core-provisioning-api (5 direct, 30 indirect)
Ecosystem-wide dependent count for version 3.0.0-M0.
DescriptionCVE.org
Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.
An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.
AnalysisAI
Malicious JEXL expression injection in Apache Syncope's Derived Schema feature enables privileged information disclosure across administrative roles. An administrator holding entitlements over Derived Schemas can embed a crafted JEXL expression that, when evaluated in the context of another administrator's User read operation, exposes security-sensitive User attributes that would not normally be accessible. Affected versions span three release lines (3.0.x through 3.0.16, 4.0.x through 4.0.5, and 4.1.0); no active exploitation is confirmed (no CISA KEV listing) and the EPSS score of 0.02% places this in the 4th percentile for exploitation probability.
Technical ContextAI
Apache Syncope is an open-source Identity Management system (IdM/IAM) built on Java. Derived Schemas in Syncope allow administrators to define computed attributes for users or other entities using JEXL (Java Expression Language) expressions - a powerful scripting capability intended for dynamic attribute derivation. CWE-202 (Exposure of Sensitive Information Through Data Queries) describes the root cause: insufficiently restricted query or expression logic that allows an actor to extract data beyond their intended authorization scope. In this case, JEXL expressions lack adequate sandboxing or allowlist controls, enabling a schema-privileged admin to craft an expression that traverses into security-sensitive User fields when evaluated during a User read operation. The affected CPE is cpe:2.3:a:apache_software_foundation:apache_syncope across the 3.0, 4.0, and 4.1 release branches. The fix (versions 4.0.6 and 4.1.1) addresses this by further restricting which JEXL constructs are permissible in schema definitions.
RemediationAI
Vendor-released patches are available: upgrade Apache Syncope to version 4.0.6 or 4.1.1, which resolve this issue by further restricting permissible JEXL expression definitions in Derived Schema configurations. The Apache advisory is at https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6 and the oss-security disclosure is at http://www.openwall.com/lists/oss-security/2026/05/25/5. For the 3.0.x branch, no patched version is listed in the available intelligence - organizations still on 3.0.x should treat migration to a supported release line as the primary remediation path. If immediate patching is not feasible, a compensating control is to audit and restrict which administrators hold Derived Schemas entitlements, reducing the attack surface to only the most trusted accounts; however, this does not eliminate the underlying JEXL expression evaluation risk and should be treated as a temporary measure only.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31702
GHSA-vr35-jm2f-8wg2