Primary

Context

Apache Syncope JEXL Context Builder Information Disclosure Vulnerability

Vulnerability

Patched

A vulnerability allowing exposure of sensitive information through data queries has been identified in Apache Syncope versions 3.0 prior to 3.0.16, 4.0 prior to 4.0.5, and 4.1.0. This issue arises when an administrator with the appropriate entitlements for Derived Schemas creates a malicious JEXL expression. Such an expression can be exploited by any administrator with sufficient entitlements for User read access to retrieve security-sensitive information related to users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to security-sensitive user information by administrators with the appropriate entitlements.

Remediation

Users are advised to upgrade to Apache Syncope versions 4.0.6 or 4.1.1, both of which address this vulnerability by imposing stricter controls on JEXL expression definitions.

Added: May 26, 2026, 7:10 PM

Updated: May 26, 2026, 7:10 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Syncope JEXL Context Builder Information Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Syncope

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating