CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters

February 3, 2026

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.

This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.

Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

References

github.com/advisories/GHSA-73f3-rqqf-2j54
github.com/apache/syncope
lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos
nvd.nist.gov/vuln/detail/CVE-2026-23795

Code Behaviors & Features

Detect and mitigate CVE-2026-23795 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →