GHSA-9vv4-g2cx-75rq
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable reporting API with low complexity but requires an authenticated report-run permission (PR:L); impact is primarily unauthorized data read (C:H), with limited integrity and no clear availability impact for a read-oriented report query.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6Description PRE-NVD
Articles & Coverage 1
AnalysisAI
SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.14.0 lets an authenticated user holding report-run permission inject arbitrary SQL through crafted report parameter values, because those values are concatenated into the generated query without sufficient validation. This yields unauthorized read access to data well beyond what the report was scoped to expose, and by extension other database contents. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Fineract account (PR:L) that has been granted permission to run reports, plus access to the Report Execution API's runreports endpoint; the attacker injects via crafted report parameter values that are passed into the generated SQL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine, actionable priority for any organization running Fineract, though not an unauthenticated internet-wide risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged but authenticated Fineract user (for example a branch officer or analyst granted report-run permission) supplies a report and, instead of a normal value, passes a crafted parameter containing SQL syntax such as a UNION SELECT or subquery. Because the value is concatenated into the report's SQL, the injected clause executes and returns rows from tables the user was never authorized to see, such as other clients' financial records or credential/config tables. … |
| Remediation | Upgrade to a fixed release of Apache Fineract above 1.14.0 that incorporates PR #5980 (https://github.com/apache/fineract/pull/5980); the input does not specify an exact tagged release number, so this is an upstream fix available (PR/commit) with the released patched version not independently confirmed - confirm the target version against the Apache Fineract announcement threads before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Apache Fineract deployments, document current versions, and audit which accounts hold report-run permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape
SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Rated critical severity (CVSS 9.4), thi
In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/cent
Improper Privilege Management vulnerability in Apache Fineract.8.5. Rated high severity (CVSS 8.8), this vulnerability i
Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different RE
SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 le
Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 le
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Rated high severity (CVS
Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hack
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44604