An administrator with sufficient entitlements to create Derived Schemas can craft a malicious JEXL expression that allows any administrator who has user‑read privileges to retrieve security‑sensitive data about users, resulting in a confidentiality breach. The weakness lies in improper validation of JEXL expressions, classified as CWE‑202. The intended impact is unauthorized disclosure of user data, without modifying system state. It is inferred that the vulnerability requires the attacker to possess administrative entitlements for Derived Schema creation and user reading; it is not remotely exploitable from an external host.

This issue affects Apache Syncope versions 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0. The vulnerability is present in all affected releases regardless of deployment size or configuration, provided the attacker holds the necessary schema‑creation and user‑read entitlements.

The EPSS score is < 1%, indicating a very low but non‑zero probability of exploitation. The CVSS score is 4.9, reflecting a medium risk level. The vulnerability is not listed in the CISA KEV catalog. It carries a moderate potential impact due to the sensitive nature of the exposed data. The attacker must already have administrative privileges and sufficient rights to create derived schemas and read users, which represents a fairly high access requirement. Exploitation requires only internal administrative access; no external network interaction is required. It is inferred that the vulnerability is not remotely exploitable from outside the organization.