CVE-2026-23795 - Vulnerability Details

- Apache Syncope: Console XXE on Keymaster parameters

Description

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.
An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

Published: 2026-02-03

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache Syncope servers allow administrators with sufficient permissions to create or edit Keymaster parameters via the console. By supplying crafted XML containing external entity references, these administrators can trigger XML External Entity (XXE) processing, which may expose internal files, environment data, or other sensitive information. The vulnerability is classified as CWE-611 and can lead to the unintended disclosure of confidential data to an attacker who can control the XML input.

Affected Systems

The affected product is Apache Syncope, version 3.0.0 through 3.0.15 and 4.0.0 through 4.0.3. Affected installations expose a web console that accepts XML for Keymaster configuration. All builds in these ranges are vulnerable until the next patch version; upgrading to 3.0.16 or 4.0.4 (or later) addresses the issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.9, indicating moderate severity. The EPSS score is less than 1%, which means exploitation is considered unlikely under current threat intelligence. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated administrator with the ability to edit Keymaster parameters; the attacker would need access to the console or privileged credentials. While the impact is limited to data leakage rather than full system compromise, it can expose critical configuration or sensitive user information, warranting prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Syncope

unaffected

Version	Status	Constraints
`3.0`	affected	≤ 3.0.15
`4.0`	affected	≤ 4.0.3

Configuration 1 [-]

OR	cpe:2.3:a:apache:syncope::::::::
	cpe:2.3:a:apache:syncope::::::::

No data.

Vendor	Product	Confidence	Versions
Apache	Syncope	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Syncope to version 3.0.16 or 4.0.4 (or later) to eliminate the vulnerability.
Review and enforce least‑privilege access on the console so that only trusted administrators can modify Keymaster parameters.
Monitor console logs for anomalous XML requests or repeated external entity references and investigate suspicious activity promptly.

Generated by OpenCVE AI on April 18, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-73f3-rqqf-2j54	Apache Syncope: Console XXE on Keymaster parameters

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00101.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/02/02/2
https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos

History

Fri, 06 Feb 2026 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:syncope::::::::

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache syncope
Vendors & Products		Apache Apache syncope

Tue, 03 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/02/02/2
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Tue, 03 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.
Title		Apache Syncope: Console XXE on Keymaster parameters
Weaknesses		CWE-611
References		https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos

Subscriptions

Apache Syncope

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-02-03T15:14:35.448Z

Updated: 2026-02-03T16:00:32.112Z

Reserved: 2026-01-16T11:15:53.117Z

Link: CVE-2026-23795

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-03T16:16:13.390

Modified: 2026-02-06T14:43:16.790

Link: CVE-2026-23795

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses

CWE-611

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object