An administrator with sufficient entitlements to create Derived Schemas can craft a malicious JEXL expression that allows any administrator who has user‑read privileges to retrieve security‑sensitive data about users, resulting in a confidentiality breach. The weakness lies in improper validation of JEXL expressions, classified as CWE‑202. The intended impact is unauthorized disclosure of user data, without modifying system state. It is inferred that the vulnerability requires the attacker to possess administrative entitlements for Derived Schema creation and user reading; it is not remotely exploitable from an external host.

This issue affects Apache Syncope versions 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0. The vulnerability is present in all affected releases regardless of deployment size or configuration, provided the attacker holds the necessary schema‑creation and user‑read entitlements.

The EPSS score is not available, indicating either a low known exploitation rate or insufficient data. The vulnerability is not listed in the CISA KEV catalog. It carries a high potential impact due to the sensitive nature of the exposed data. The attacker must already have administrative privileges and sufficient rights to create derived schemas and read users, which represents a fairly high access requirement. Exploitation requires only internal administrative access; no external network interaction is required. It is inferred that the vulnerability is not remotely exploitable from outside the organization.