SQL Injection Vulnerability in Apache Fineract's Office Search API
CVE-2026-57821

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
15 July 2026

What is CVE-2026-57821?

A SQL Injection vulnerability has been identified in Apache Fineract's Office Search API. This flaw allows authenticated users with appropriate permissions to manipulate SQL queries through the 'orderBy' parameter, leading to potential data exfiltration. When an attacker injects a carefully crafted query, it can block the database connection, causing exhaustion of the connection pool and resulting in denial of service for other users. To safeguard against these risks, users are advised to upgrade to versions that incorporate the patch addressing this vulnerability.

Affected Version(s)

Apache Fineract 0 <= 1.14.0

Apache Fineract 1.15.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Venkatraman Kumar (@r3dw0lfsec) at Securin
Terence Monteiro (@terencemo)
Ádám Sághy (@adamsaghy)
.