SQL Injection Vulnerability in Apache Fineract's Client Search API
CVE-2026-56287
Currently unrated
What is CVE-2026-56287?
A boolean-based SQL Injection vulnerability has been identified in the Client Search API of Apache Fineract, affecting versions up to and including 1.14.0. This issue arises from inadequate validation of the 'orderBy' and 'sortOrder' parameters, which are directly incorporated into SQL queries. An authenticated user with access to the client viewing functionality could exploit this vulnerability by injecting custom SQL commands through crafted request parameters. This could facilitate unauthorized data retrieval, including potential exposure of sensitive files via the MySQL/MariaDB 'LOAD_FILE()' function. Users are strongly advised to upgrade to a secured version to mitigate this risk.
Affected Version(s)
Apache Fineract 0 <= 1.14.0