Description
Improper Isolation or Compartmentalization vulnerability in Apache Syncope.

An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.



Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.
Published: 2026-05-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that the attacker must have sufficient entitlements as an administrator to create the malicious Groovy class. An administrator with sufficient entitlements in Apache Syncope can create a malicious Groovy class whose static initializer contains untrusted code. Because the static initializer runs without a sandbox, the code can execute arbitrary instructions on the system, giving the attacker full server control. The weakness is classified as Improper Isolation or Compartmentalization.

Affected Systems

Apache Syncope versions 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 are affected. The issue is fixed in the subsequent releases 4.0.6 and 4.1.1, which enforce sandboxed execution for all Groovy code, including static initializers.

Risk and Exploitability

Based on the description, it is inferred that the attack vector requires an authenticated user with implementation privileges. The vulnerability lacks a published CVSS score, but its nature—remote code execution under a privileged account—makes it a high‑risk issue. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. Once such a user can upload or modify Groovy scripts, execution of the malicious static initializer can compromise the entire Syncope deployment.

Generated by OpenCVE AI on May 25, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Syncope to version 4.0.6 or 4.1.1 (or later) to enforce sandboxed execution of Groovy static initializers.
  • If an immediate upgrade is not possible, restrict or disable Groovy script execution for users lacking strict privileges.
  • Apply the principle of least privilege by ensuring that only trusted administrators hold the entitlement required to create or modify Groovy classes in Syncope.

Generated by OpenCVE AI on May 25, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache syncope
Vendors & Products Apache
Apache syncope

Mon, 25 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.
Title Apache Syncope: Post-auth RCE via Groovy static
Weaknesses CWE-653
References

Subscriptions

Apache Syncope
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-25T20:30:24.495Z

Reserved: 2026-04-29T14:11:03.486Z

Link: CVE-2026-42782

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T17:30:05Z

Weaknesses