Skip to main content

Apache Fineract CVE-2026-35152

| EUVDEUVD-2026-44604 HIGH
SQL Injection (CWE-89)
8.8
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Network-reachable reporting API with low complexity but requires an authenticated report-run permission (PR:L); impact is primarily unauthorized data read (C:H), with limited integrity and no clear availability impact for a read-oriented report query.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Source Code Evidence Fetched
Jul 15, 2026 - 15:33 vuln.today
Analysis Updated
Jul 15, 2026 - 15:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 15, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jul 15, 2026 - 15:22 NVD
8.8 (HIGH)
Analysis Generated
Jul 15, 2026 - 08:16 vuln.today
CVE Published
Jul 15, 2026 - 06:38 oss-security
CRITICAL

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.14.0 lets an authenticated user holding report-run permission inject arbitrary SQL through crafted report parameter values, because those values are concatenated into the generated query without sufficient validation. This yields unauthorized read access to data well beyond what the report was scoped to expose, and by extension other database contents. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with report-run permission
Delivery
Select a report on runreports endpoint
Exploit
Submit crafted SQL in parameter value
Execution
Injected query executes against DB
Impact
Exfiltrate unauthorized data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Fineract account (PR:L) that has been granted permission to run reports, plus access to the Report Execution API's runreports endpoint; the attacker injects via crafted report parameter values that are passed into the generated SQL. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine, actionable priority for any organization running Fineract, though not an unauthenticated internet-wide risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged but authenticated Fineract user (for example a branch officer or analyst granted report-run permission) supplies a report and, instead of a normal value, passes a crafted parameter containing SQL syntax such as a UNION SELECT or subquery. Because the value is concatenated into the report's SQL, the injected clause executes and returns rows from tables the user was never authorized to see, such as other clients' financial records or credential/config tables. …
Remediation Upgrade to a fixed release of Apache Fineract above 1.14.0 that incorporates PR #5980 (https://github.com/apache/fineract/pull/5980); the input does not specify an exact tagged release number, so this is an upstream fix available (PR/commit) with the released patched version not independently confirmed - confirm the target version against the Apache Fineract announcement threads before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Apache Fineract deployments, document current versions, and audit which accounts hold report-run permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-23539 CRITICAL
9.8 Mar 29

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.

CVE-2024-23538 CRITICAL
9.8 Mar 29

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.

CVE-2018-1290 CRITICAL
9.8 Apr 20

In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape

CVE-2024-32838 CRITICAL
9.4 Feb 12

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Rated critical severity (CVSS 9.4), thi

CVE-2017-5663 HIGH
8.8 Dec 14

In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/cent

CVE-2024-23537 HIGH
8.8 Mar 29

Improper Privilege Management vulnerability in Apache Fineract.8.5. Rated high severity (CVSS 8.8), this vulnerability i

CVE-2022-44635 HIGH
8.8 Nov 29

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in

CVE-2018-1289 HIGH
8.8 Apr 20

In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different RE

CVE-2026-57821 HIGH
8.1 Jul 15

SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 le

CVE-2026-56287 HIGH
8.1 Jul 15

Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 le

CVE-2023-25195 HIGH
8.1 Mar 28

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Rated high severity (CVS

CVE-2018-1292 HIGH
8.1 Apr 20

Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hack

Share

CVE-2026-35152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy