PT-2026-58893 · Apache · Apache Fineract
Ádám Sághy
+4
·
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-35152
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Fineract versions prior to 1.14.1
Description
An issue exists in the Report Execution API 'runreports' endpoint where report parameter values are incorporated into the generated SQL query without sufficient validation. This allows an authenticated user with report execution permissions to inject arbitrary SQL through crafted parameter values, potentially leading to unauthorized access to data beyond the intended scope of the report.
Recommendations
Upgrade to a version containing the fix.
Restrict the use of the 'runreports' endpoint for users with excessive permissions until the update is applied.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Fineract