CVE-2026-42797
Exposure of Sensitive Information in Apache Syncope via Malicious JEXL
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | syncope | From 3.0 (inc) to 3.0.16 (inc) |
| apache | syncope | From 4.0 (inc) to 4.0.5 (inc) |
| apache | syncope | 4.1.0 |
| apache | syncope | 4.0.6 |
| apache | syncope | 4.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-202 | When trying to keep information confidential, an attacker can often infer some of the information by using statistics. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache Syncope to version 4.0.6 or 4.1.1, which fix the issue by further restricting the JEXL expression definition.
Can you explain this vulnerability to me?
This vulnerability in Apache Syncope allows an administrator with the right permissions for Derived Schemas to create a malicious JEXL expression.
This malicious expression enables any administrator who has sufficient permissions to read User data to access security-sensitive information related to users that they normally should not be able to see.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized exposure of sensitive user information to administrators who should not have access to such data.
This could result in data breaches, privacy violations, and potential misuse of sensitive user information within the affected Apache Syncope versions.