CVE-2026-42782HIGHCVSS 7.2

Apache Syncope has an Improper Isolation or Compartmentalization vulnerability

Published May 26, 2026·Updated Jun 30, 2026

Description

Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.

Affected Packages (1)

org.apache.syncope.core:syncope-core-springMAVEN
From 3.0.0-M0
Fixed in = 3.0.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free