Apache Fineract: SQL injection in runreports endpoint
Summary
| CVE | CVE-2026-35152 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-15 10:16:46 UTC |
| Updated | 2026-07-15 20:16:32 UTC |
| Description | A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix. |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.003280000 probability, percentile 0.249240000 (date 2026-07-15)
Problem Types: CWE-89 | CWE-89 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Fineract | affected 1.14.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/apache/fineract/pull/5980 | [email protected] | github.com | Patch |
| lists.apache.org/thread/d3bzcwsbywz7wg9zxvtlkvgmffqjyfn0 | [email protected] | lists.apache.org | Mailing List, Vendor Advisory |
| lists.apache.org/thread/658yddn0bpxqw2hpxnyk3vqd05bkchg9 | [email protected] | lists.apache.org | Mailing List, Vendor Advisory |
| www.openwall.com/lists/oss-security/2026/07/15/1 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: JD Security Shenyi Team (en)
CNA: Geo Chen (en)
CNA: Quac Tran (en)
CNA: Terence Monteiro (@terencemo) (en)
CNA: Ádám Sághy (@adamsaghy) (en)
CNA: Aleksandar Vidakovic (@vidakovic) (en)
There are currently no legacy QID mappings associated with this CVE.