GHSA-fcf9-3vvc-8qg6
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable API, low complexity, requires a low-privilege client-view account (PR:L); ORDER BY injection in a SELECT enables data/file read (C:H) but no write path, so I:N and A:N.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6Description PRE-NVD
AnalysisAI
Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 lets an authenticated user who holds the view-clients permission concatenate unvalidated orderBy (and sortOrder) parameters directly into the backing SQL query. Attackers can extract arbitrary database contents one bit at a time and, on MySQL/MariaDB back ends, read arbitrary files accessible to the DB process via LOAD_FILE(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated account with permission to view clients (CVSS PR:L) and network reachability to the Fineract REST API endpoint GET /api/v1/clients; no user interaction and no special non-default configuration are needed for the base SQL injection, since the vulnerable orderBy handling is present in default builds up to 1.14.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1) reflects a network-reachable, low-complexity attack requiring only low privileges and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged Fineract user (or an attacker who has phished such credentials) sends GET /api/v1/clients with a crafted orderBy value like 'c.office_id, (CASE WHEN (ASCII(SUBSTRING((SELECT ...),1,1)) - 109) THEN c.id ELSE (c.id*-1) END)', observing the differing row order/response to extract data one boolean at a time. On a MySQL/MariaDB back end the attacker pivots to LOAD_FILE() to read files readable by the DB process. … |
| Remediation | Upstream fix available (PR/commit https://github.com/apache/fineract/pull/6020); a released, tagged patched version is not independently confirmed from the provided data - monitor https://fineract.apache.org/ and the ASF thread https://lists.apache.org/thread/l5klcj2v0dx63bssvb0gmw1nzzc47col for the fixed release and upgrade to a version above 1.14.0 that includes the InputValidator allow-list. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Apache Fineract version 1.14.0 or earlier and audit which users and service accounts hold the view-clients permission; review access logs for suspicious activity on the /api/v1/clients endpoint with unusual orderBy or sortOrder parameters. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape
SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Rated critical severity (CVSS 9.4), thi
SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.
In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/cent
Improper Privilege Management vulnerability in Apache Fineract.8.5. Rated high severity (CVSS 8.8), this vulnerability i
Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different RE
SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 le
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract. Rated high severity (CVS
Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hack
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44603