Apache Syncope: Post-auth RCE via Groovy static_CVE-2026-42782

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

Improper Isolation or Compartmentalization vulnerability in Apache Syncope.

An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.

Basic Information

ID CVE-2026-42782

Source apache

Published May 25, 2026 at 14:58

Modified May 27, 2026 at 20:31

Affected Product

Vendor Apache Software Foundation

Product Apache Syncope

Version 3.0

Affected Versions Apache Software Foundation Apache Syncope 3.0
Apache Software Foundation Apache Syncope 4.0
Apache Software Foundation Apache Syncope 4.1

CWE Classification

CWE-653

References

lists.apache.org /thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r

{
    "lastseen": "",
    "description": "Improper Isolation or Compartmentalization vulnerability in Apache Syncope.\n\nAn administrator with adequate entitlements for Implementations can create a malicious Groovy class containing\u00a0untrusted code reaching a non-sandboxed execution path via the class static initializer.\n\nThis issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.\n\n\n\nUsers are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.",
    "published": "2026-05-25T14:58:59.152Z",
    "modified": "2026-05-27T20:31:30.996Z",
    "type": "cve",
    "title": "Apache Syncope: Post-auth RCE via Groovy static",
    "source": "apache",
    "references": "https://lists.apache.org/thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r",
    "id": "CVE-2026-42782",
    "bulletinFamily": "",
    "cwe": [
        "CWE-653"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Syncope 3.0\nApache Software Foundation Apache Syncope 4.0\nApache Software Foundation Apache Syncope 4.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Syncope",
    "version": "3.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}