CVE-2026-42797

MEDIUM 4.9

Apache Syncope: JexlContextBuilder Information Disclosure

CVSS Score

4.9

EPSS Score

0.0%

EPSS Percentile

4th

Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.

CWE	CWE-202
Vendor	apache software foundation
Product	apache syncope
Published	May 25, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache syncope

Be the first to know when new medium vulnerabilities affecting apache software foundation apache syncope are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Syncope

3.0 ≤ 3.0.16 4.0 ≤ 4.0.5 4.1 ≤ 4.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/25/5

Credits

elin kai