CVE Catalog

CVE-2026-42782

High
Published: Translated: NVD NIST

Summary

A vulnerability in Apache Syncope related to improper isolation or compartmentalization allows an administrator to create a malicious Groovy class that can execute untrusted code outside of a sandbox.

Risk Assessment

This issue may lead to unauthorized code execution in the system, posing risks to data security and application integrity.

Recommendation

It is recommended to upgrade to version 4.0.6 or 4.1.1, which fix this issue by enforcing the execution of static initializers in Groovy code within a sandbox.

Original NVD description (English source)

Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS