PT-2026-58896 · Apache · Apache Fineract

Ádám Sághy

+1

·

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-57821

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Name of the Vulnerable Software and Affected Versions Apache Fineract versions prior to 1.14.1
Description An authenticated user with permissions to view offices can perform a time-based blind SQL injection via the 'Office Search API' endpoint '/api/v1/offices'. The issue occurs because the orderBy request parameter is concatenated into a SQL query without sufficient validation, bypassing the ColumnValidator. This allows the injection of arbitrary SQL, which can be used for data exfiltration. Additionally, because the injected queries block database connections, concurrent exploitation may exhaust the database connection pool, leading to a denial of service.
Recommendations Upgrade to a version containing the fix. As a temporary mitigation, restrict the use of the orderBy parameter in the '/api/v1/offices' endpoint.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57821

Affected Products

Apache Fineract