CVE-2026-42782
Improper Isolation in Apache Syncope via Groovy Execution
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | syncope | From 3.0 (inc) to 3.0.16 (inc) |
| apache | syncope | From 4.0 (inc) to 4.0.5 (inc) |
| apache | syncope | From 4.1 (inc) to 4.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-653 | The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Isolation or Compartmentalization issue in Apache Syncope. It allows an administrator with sufficient permissions related to Implementations to create a malicious Groovy class that contains untrusted code. This code can execute through the class static initializer without being sandboxed, meaning it can run with fewer restrictions than intended.
How can this vulnerability impact me? :
The impact of this vulnerability is that malicious code can be executed within Apache Syncope by an authorized administrator, potentially leading to unauthorized actions or compromise of the system. Since the Groovy code runs outside of a sandbox, it may perform harmful operations that could affect the integrity, confidentiality, or availability of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache Syncope to version 4.0.6 or 4.1.1.
These versions fix the issue by forcing even the static initializer in Groovy code to run in a sandbox, preventing untrusted code execution.