CVE-2026-42797
published 2026-05-25CVE-2026-42797: Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can…
medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.
An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | syncope | — | — |
| apache | syncope | 3.0.0 – 3.0.16 | — |
| apache | syncope | >= 4.0.0 < 4.0.6 | 4.0.6 |
| apache_software_foundation | apache_syncope | 3.0 – 3.0.16 | — |
| apache_software_foundation | apache_syncope | 4.0 – 4.0.5 | — |
| apache_software_foundation | apache_syncope | 4.1 – 4.1.0 | — |