Apache Syncope: Console XXE on Keymaster parameters_CVE-2026-23795

4.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.
An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

Basic Information

ID CVE-2026-23795

Source apache

Published Feb 3, 2026 at 15:14

Modified Feb 3, 2026 at 16:00

Affected Product

Vendor Apache Software Foundation

Product Apache Syncope

Version 3.0

Affected Versions Apache Software Foundation Apache Syncope 3.0
Apache Software Foundation Apache Syncope 4.0

CWE Classification

CWE-611

References

lists.apache.org /thread/mzgbdn8hzk8vr94o660njcc7w62c2pos

{
    "lastseen": "",
    "description": "Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.\nAn administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.\n\nThis issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.\n\nUsers are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.",
    "published": "2026-02-03T15:14:35.448Z",
    "modified": "2026-02-03T16:00:32.112Z",
    "type": "cve",
    "title": "Apache Syncope: Console XXE on Keymaster parameters",
    "source": "apache",
    "references": "https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos",
    "id": "CVE-2026-23795",
    "bulletinFamily": "",
    "cwe": [
        "CWE-611"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Syncope 3.0\nApache Software Foundation Apache Syncope 4.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Syncope",
    "version": "3.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}