Sensitive Information Exposure in Apache Syncope by Apache
CVE-2026-42797

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Syncope
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-42797?

A risk has been identified in Apache Syncope that allows administrators with certain privileges to craft malicious JEXL expressions. This vulnerability can enable other administrators with User read entitlements to gain unauthorized access to security-sensitive information regarding users. It affects several versions of Apache Syncope, and users are advised to upgrade to specific patched versions to mitigate this risk.

Affected Version(s)

Apache Syncope 3.0 <= 3.0.16

Apache Syncope 4.0 <= 4.0.5

Apache Syncope 4.1 <= 4.1.0

References

https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9f...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

elin kai

CVE-2026-42797 Data

JSON