Apache Syncope Console XXE Vulnerability (3.0-3.0.15,4.0-4.0.3)
CVE-2026-23795 Published on February 3, 2026
Apache Syncope: Console XXE on Keymaster parameters
Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.
An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.
This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.
Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.
Vulnerability Analysis
CVE-2026-23795 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2026-23795 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2026-23795
Want to know whenever a new CVE is published for Apache Syncope? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Syncope:- Version 3.0, <= 3.0.15 is affected.
- Version 4.0, <= 4.0.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.