PT-2026-58896 · Apache · Apache Fineract
Ádám Sághy
+1
·
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-57821
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Fineract versions prior to 1.14.1
Description
An authenticated user with permissions to view offices can perform a time-based blind SQL injection via the 'Office Search API' endpoint '/api/v1/offices'. The issue occurs because the
orderBy request parameter is concatenated into a SQL query without sufficient validation, bypassing the ColumnValidator. This allows the injection of arbitrary SQL, which can be used for data exfiltration. Additionally, because the injected queries block database connections, concurrent exploitation may exhaust the database connection pool, leading to a denial of service.Recommendations
Upgrade to a version containing the fix.
As a temporary mitigation, restrict the use of the
orderBy parameter in the '/api/v1/offices' endpoint.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Fineract