Skip to main content

Apache Fineract CVE-2026-57821

| EUVDEUVD-2026-44605 HIGH
SQL Injection (CWE-89)
8.1
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
8.1 HIGH

Network REST endpoint (AV:N/AC:L), requires a low-priv office-view account (PR:L), blind read yields C:H with no write path (I:N), and connection-pool exhaustion gives A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

6
Source Code Evidence Fetched
Jul 15, 2026 - 13:29 vuln.today
Analysis Updated
Jul 15, 2026 - 13:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 15, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jul 15, 2026 - 13:22 NVD
8.1 (HIGH)
Analysis Generated
Jul 15, 2026 - 08:16 vuln.today
CVE Published
Jul 15, 2026 - 06:42 oss-security
HIGH

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with office-view permission
Delivery
Send GET /api/v1/offices with crafted orderBy subquery
Exploit
Bypass ColumnValidator in ORDER BY position
Execution
Run time-based blind SQL injection
Impact
Exfiltrate data or exhaust connection pool for DoS

Vulnerability AssessmentAI

Exploitation Requires an authenticated Fineract account holding the permission to view offices (CVSS PR:L), and requests must target the Office Search API endpoint GET /api/v1/offices supplying a crafted orderBy parameter; the injected payload must be a bare subquery in the ORDER BY position, which evades the ColumnValidator control from the CVE-2024-32838 fix. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, base 8.1) is internally consistent with the description: a network-reachable REST endpoint, low complexity, a low-privilege authenticated account (PR:L, matching the 'authenticated user with permission to view offices' precondition), no user interaction, high confidentiality impact from blind data exfiltration, and high availability impact from connection-pool exhaustion. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged Fineract account that can view offices calls GET /api/v1/offices with an orderBy value carrying a bare subquery, then measures response timing to blind-extract sensitive rows (e.g., user or client financial data) one condition at a time. Because AC:L and PR:L, exploitation is straightforward for any authorized user; firing many such requests in parallel holds database connections open for the full query duration and starves the pool, degrading or denying service for everyone else. …
Remediation Upstream fix available (PR/commit) via https://github.com/apache/fineract/pull/6048; a released patched version is not independently confirmed from the provided data, so upgrade to the first tagged Fineract release that incorporates PR #6048 (the vendor recommends upgrading to a version containing the fix - monitor https://fineract.apache.org/ and the Apache threads at https://lists.apache.org/thread/lb7zwdv7qntzy6z05gzf7m8mxw9cbgsj and https://lists.apache.org/thread/rj5vwh3z2xcvsf0rqwj8kokpbrxkhq4n for the exact version). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: enumerate all Fineract deployments and their versions, audit which users hold office-view permissions, and enable detailed query logging for the Office Search API endpoint. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57821 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy