CVE-2026-42797

Summary

Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.

An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Syncope3.0 <= 3.0.16affected
Apache Software FoundationApache Syncope4.0 <= 4.0.5affected
Apache Software FoundationApache Syncope4.1 <= 4.1.0affected

Weaknesses

  • CWE-202: CWE-202 Exposure of Sensitive Information Through Data Queries

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References