Medium severity4.9NVD Advisory· Published May 25, 2026· Updated May 28, 2026
CVE-2026-42797
CVE-2026-42797
Description
Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.
An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- www.openwall.com/lists/oss-security/2026/05/25/5nvdMailing ListThird Party Advisory
- lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6nvdMailing ListVendor Advisory
News mentions
1- Apache Ships 12 Patches Across 7 Projects: Shiro, Airflow, Syncope Lead the BatchVypr Intelligence · May 28, 2026