Skip to main content

Apache Fineract CVE-2026-56287

| EUVDEUVD-2026-44603 HIGH
SQL Injection (CWE-89)
8.1
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable API, low complexity, requires a low-privilege client-view account (PR:L); ORDER BY injection in a SELECT enables data/file read (C:H) but no write path, so I:N and A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Source Code Evidence Fetched
Jul 15, 2026 - 15:31 vuln.today
Analysis Updated
Jul 15, 2026 - 15:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 15, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jul 15, 2026 - 15:22 NVD
8.1 (HIGH)
Analysis Generated
Jul 15, 2026 - 08:16 vuln.today
CVE Published
Jul 15, 2026 - 06:40 oss-security
HIGH

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 lets an authenticated user who holds the view-clients permission concatenate unvalidated orderBy (and sortOrder) parameters directly into the backing SQL query. Attackers can extract arbitrary database contents one bit at a time and, on MySQL/MariaDB back ends, read arbitrary files accessible to the DB process via LOAD_FILE(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with client-view credentials
Delivery
Send GET /api/v1/clients with crafted orderBy payload
Exploit
Inject boolean CASE into ORDER BY clause
Execution
Infer data bit-by-bit from row ordering
Persist
Pivot to LOAD_FILE() on MySQL/MariaDB
Impact
Exfiltrate database contents and readable files

Vulnerability AssessmentAI

Exploitation Requires an authenticated account with permission to view clients (CVSS PR:L) and network reachability to the Fineract REST API endpoint GET /api/v1/clients; no user interaction and no special non-default configuration are needed for the base SQL injection, since the vulnerable orderBy handling is present in default builds up to 1.14.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1) reflects a network-reachable, low-complexity attack requiring only low privileges and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Fineract user (or an attacker who has phished such credentials) sends GET /api/v1/clients with a crafted orderBy value like 'c.office_id, (CASE WHEN (ASCII(SUBSTRING((SELECT ...),1,1)) - 109) THEN c.id ELSE (c.id*-1) END)', observing the differing row order/response to extract data one boolean at a time. On a MySQL/MariaDB back end the attacker pivots to LOAD_FILE() to read files readable by the DB process. …
Remediation Upstream fix available (PR/commit https://github.com/apache/fineract/pull/6020); a released, tagged patched version is not independently confirmed from the provided data - monitor https://fineract.apache.org/ and the ASF thread https://lists.apache.org/thread/l5klcj2v0dx63bssvb0gmw1nzzc47col for the fixed release and upgrade to a version above 1.14.0 that includes the InputValidator allow-list. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Apache Fineract version 1.14.0 or earlier and audit which users and service accounts hold the view-clients permission; review access logs for suspicious activity on the /api/v1/clients endpoint with unusual orderBy or sortOrder parameters. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-23539 CRITICAL
9.8 Mar 29

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.

CVE-2024-23538 CRITICAL
9.8 Mar 29

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.

CVE-2018-1290 CRITICAL
9.8 Apr 20

In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape

CVE-2024-32838 CRITICAL
9.4 Feb 12

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Rated critical severity (CVSS 9.4), thi

CVE-2026-35152 HIGH
8.8 Jul 15

SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.

CVE-2017-5663 HIGH
8.8 Dec 14

In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/cent

CVE-2024-23537 HIGH
8.8 Mar 29

Improper Privilege Management vulnerability in Apache Fineract.8.5. Rated high severity (CVSS 8.8), this vulnerability i

CVE-2022-44635 HIGH
8.8 Nov 29

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in

CVE-2018-1289 HIGH
8.8 Apr 20

In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different RE

CVE-2026-57821 HIGH
8.1 Jul 15

SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 le

CVE-2023-25195 HIGH
8.1 Mar 28

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Rated high severity (CVS

CVE-2018-1292 HIGH
8.1 Apr 20

Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hack

Share

CVE-2026-56287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy