Primary

Context

Apache Syncope Improper Isolation Vulnerability Leading to Post-Authentication Remote Code Execution

Vulnerability

Patched

A vulnerability allowing post-authentication remote code execution has been identified in Apache Syncope versions 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0. This issue arises from improper isolation or compartmentalization, enabling an administrator with the right entitlements to create a malicious Groovy class. The untrusted code can bypass sandboxing and execute through the class's static initializer.

Impact

Exploitation of this vulnerability allows for post-authentication remote code execution on the server where Apache Syncope is running.

Remediation

Users are advised to upgrade to Apache Syncope versions 4.0.6 or 4.1.1, which address this vulnerability by ensuring that even static initializers in Groovy code are executed in a sandboxed environment.

Added: May 26, 2026, 7:10 PM

Updated: May 26, 2026, 7:10 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Syncope Improper Isolation Vulnerability Leading to Post-Authentication Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Apache Syncope

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating