PT-2026-58893 · Apache · Apache Fineract

Ádám Sághy

+4

·

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-35152

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Apache Fineract versions prior to 1.14.1
Description An issue exists in the Report Execution API 'runreports' endpoint where report parameter values are incorporated into the generated SQL query without sufficient validation. This allows an authenticated user with report execution permissions to inject arbitrary SQL through crafted parameter values, potentially leading to unauthorized access to data beyond the intended scope of the report.
Recommendations Upgrade to a version containing the fix. Restrict the use of the 'runreports' endpoint for users with excessive permissions until the update is applied.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-35152

Affected Products

Apache Fineract