CVE-2026-42782

HIGH 7.2

Apache Syncope: Post-auth RCE via Groovy static

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

6th

Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.

CWE	CWE-653
Vendor	apache software foundation
Product	apache syncope
Published	May 25, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache syncope

Be the first to know when new high vulnerabilities affecting apache software foundation apache syncope are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Syncope

3.0 ≤ 3.0.16 4.0 ≤ 4.0.5 4.1 ≤ 4.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r openwall.com: http://www.openwall.com/lists/oss-security/2026/05/25/4

Credits

Trung Nguyen, CyStack