SQL Injection Vulnerability in Apache Fineract's Client Search API
CVE-2026-56287

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
15 July 2026

What is CVE-2026-56287?

A boolean-based SQL Injection vulnerability has been identified in the Client Search API of Apache Fineract, affecting versions up to and including 1.14.0. This issue arises from inadequate validation of the 'orderBy' and 'sortOrder' parameters, which are directly incorporated into SQL queries. An authenticated user with access to the client viewing functionality could exploit this vulnerability by injecting custom SQL commands through crafted request parameters. This could facilitate unauthorized data retrieval, including potential exposure of sensitive files via the MySQL/MariaDB 'LOAD_FILE()' function. Users are strongly advised to upgrade to a secured version to mitigate this risk.

Affected Version(s)

Apache Fineract 0 <= 1.14.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Anirudh Anand
Aman Sapra
Terence Monteiro (@terencemo)
Ádám Sághy (@adamsaghy)
.