CVE-2026-42782

Summary

Improper Isolation or Compartmentalization vulnerability in Apache Syncope.

An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Syncope3.0 <= 3.0.16affected
Apache Software FoundationApache Syncope4.0 <= 4.0.5affected
Apache Software FoundationApache Syncope4.1 <= 4.1.0affected

Weaknesses

  • CWE-653: CWE-653 Improper Isolation or Compartmentalization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References