Apache Syncope: JexlContextBuilder Information Disclosure_CVE-2026-42797

4.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description

Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.

An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.

Basic Information

ID CVE-2026-42797

Source apache

Published May 25, 2026 at 15:00

Modified May 26, 2026 at 20:06

Affected Product

Vendor Apache Software Foundation

Product Apache Syncope

Version 3.0

Affected Versions Apache Software Foundation Apache Syncope 3.0
Apache Software Foundation Apache Syncope 4.0
Apache Software Foundation Apache Syncope 4.1

CWE Classification

CWE-202

References

lists.apache.org /thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6

{
    "lastseen": "",
    "description": "Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.\n\nAn administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.\n\nThis issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.\n\nUsers are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.",
    "published": "2026-05-25T15:00:55.670Z",
    "modified": "2026-05-26T20:06:31.884Z",
    "type": "cve",
    "title": "Apache Syncope: JexlContextBuilder Information Disclosure",
    "source": "apache",
    "references": "https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6",
    "id": "CVE-2026-42797",
    "bulletinFamily": "",
    "cwe": [
        "CWE-202"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Syncope 3.0\nApache Software Foundation Apache Syncope 4.0\nApache Software Foundation Apache Syncope 4.1",
    "sourceHref": "",
    "cvss": {
        "score": 4.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Syncope",
    "version": "3.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}