CVE-2026-35152

Apache · Fineract

A SQL injection vulnerability in the Apache Fineract Report Execution API (runreports endpoint) allows authenticated users to execute arbitrary SQL commands.

Executive summary

A high-severity SQL injection vulnerability in Apache Fineract allows authenticated attackers to compromise database integrity and confidentiality.

Vulnerability

The application fails to properly sanitize user-supplied input within the Report Execution API. This flaw allows an authenticated attacker to perform SQL injection, potentially leading to unauthorized data access or modification.

Business impact

Successful exploitation of this vulnerability allows an attacker to interact directly with the backend database, which may contain sensitive financial or user data. Given the CVSS score of 8.8, the potential for unauthorized data exfiltration or corruption poses a significant risk to organizational data integrity and compliance requirements.

Remediation

Immediate Action: Upgrade to the latest version of Apache Fineract as specified by the vendor's security advisory and ensure that the report execution functionality is properly restricted.

Proactive Monitoring: Monitor database query logs for unusual patterns, such as unexpected syntax or queries originating from the runreports endpoint that deviate from standard operational behavior.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns targeting application APIs.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the high CVSS score and the direct impact on database security, administrators should prioritize patching this vulnerability immediately. Ensure all authenticated users are audited and that database permissions follow the principle of least privilege to minimize potential damage.