- Description
- Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.
- Source
- security@apache.org
- NVD status
- Modified
- Products
- syncope
CVSS 3.1
- Type
- Primary
- Base score
- 7.2
- Impact score
- 5.9
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@apache.org
- CWE-653
- Hype score
- Not currently trending
CVE-2026-42782: Apache Syncope: Post-auth RCE via Groovy static https://t.co/juKB2BZm7S CVE-2026-42797: Apache Syncope: JexlContextBuilder Information Disclosure https://t.co/OJ4pSRQ1FD
@oss_security
26 May 2026
499 Impressions
1 Retweet
5 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2026-42782 CVE-2026-42782 https://t.co/doRpR6Mjja
@VulmonFeeds
25 May 2026
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81A43F1F-85A5-405B-B28A-CA2AE38D5454",
"versionEndIncluding": "3.0.16",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4766DF17-5264-4EE6-8819-55E799DE1752",
"versionEndExcluding": "4.0.6",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:syncope:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA64D586-A72F-4350-812A-B3284F47823C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]