PatchSiren cyber security CVE debrief

CVE-2026-42797 Apache Software Foundation CVE debrief

Apache Syncope versions 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 contain an information disclosure vulnerability (CWE-202) in the Derived Schemas feature. An administrator with entitlements to create Derived Schemas can craft a malicious JEXL expression that, when evaluated during User read operations by another administrator, exposes security-sensitive user information. The vulnerability stems from insufficient restrictions on JEXL expression definitions, allowing data queries to access protected information beyond intended boundaries. The CVSS 3.1 score of 4.9 (Medium) reflects network attack vector, low attack complexity, high privileges required, no user interaction, and high confidentiality impact with no integrity or availability impact. Apache released fixes in versions 4.0.6 and 4.1.1 that implement stricter JEXL expression restrictions. The CVE was published on 2026-05-25 and modified on 2026-05-26; it is not listed in CISA KEV.

Vendor: Apache Software Foundation
Product: Apache Syncope
CVSS: MEDIUM 4.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-25
Original CVE updated: 2026-05-26
Advisory published: 2026-05-25
Advisory updated: 2026-05-26

Who should care

Apache Syncope administrators, identity and access management teams, security operations centers monitoring IAM platforms, and organizations using Syncope for user provisioning and identity governance

Technical summary

The vulnerability exists in Apache Syncope's Derived Schemas functionality, which uses JEXL (Java Expression Language) expressions to compute derived attribute values. Insufficient sandboxing of these expressions allows a schema administrator to reference security-sensitive user attributes that should be inaccessible to other administrators. When a user administrator with read entitlements queries affected users, the malicious JEXL expression evaluates and leaks protected data. The fix implements additional expression restrictions to prevent unauthorized attribute access.

Defensive priority

medium

Recommended defensive actions

Upgrade Apache Syncope to version 4.0.6 or 4.1.1 to obtain JEXL expression restrictions that prevent information disclosure
Review existing Derived Schema definitions for malicious JEXL expressions if upgrade is not immediately feasible
Audit administrator entitlements for Derived Schema creation and User read operations to identify potential abuse
Monitor access logs for unusual Derived Schema creation or modification activity
Restrict administrator privileges to principle of least minimum access pending upgrade

Evidence notes

Vulnerability description and affected versions derived from official CVE record and NVD entry. Fix versions and remediation guidance confirmed through Apache security mailing list reference. CVSS vector and CWE classification sourced from NVD metadata. Vendor identification as Apache based on reference domain evidence with low confidence flag for review.

Official resources

CVE-2026-42797 CVE record
CVE.org
CVE-2026-42797 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

2026-05-25T16:16:20.390Z