CVE-2026-35152 in Fineractinfo

Summary

by MITRE • 07/15/2026

A SQL Injection vulnerability exists in Apache Fineract's Report Execution API (runreports endpoint) in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run reports to inject arbitrary SQL via crafted parameter values. This can be leveraged to perform unauthorized access to data beyond what the report was designed to expose. Users are recommended to upgrade to a version containing the fix.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability under discussion represents a critical sql injection flaw within apache fineract's report execution api specifically targeting the runreports endpoint. this security weakness affects all versions up to and including 1.14.0 of the financial management platform, which is widely used by microfinance institutions and other organizations for core banking operations. the vulnerability stems from inadequate input validation mechanisms that fail to properly sanitize user-supplied parameters before incorporating them into database queries, creating a pathway for malicious actors to manipulate the underlying sql execution process.

the technical implementation of this flaw occurs when authenticated users with appropriate report execution permissions submit crafted parameter values through the api endpoint. these parameters are directly concatenated into sql query strings without proper sanitization or parameterized query construction techniques. this design oversight allows attackers to inject malicious sql fragments that can alter the intended query behavior and potentially execute unauthorized database operations. the vulnerability specifically targets the report generation functionality where user inputs are expected to filter or modify report data, but instead become executable code within the database context.

the operational impact of this vulnerability extends beyond simple data exposure concerns to encompass potential full database compromise scenarios. authenticated users can leverage this weakness to extract sensitive financial data, manipulate report results, and potentially gain access to information that should remain restricted to authorized personnel only. the attack surface is particularly concerning given that apache fineract serves organizations handling substantial financial transactions and personal data of clients. successful exploitation could result in unauthorized data access, data integrity compromise, and potential regulatory violations for organizations using the platform.

from a cybersecurity framework perspective, this vulnerability maps directly to cwe-89 sql injection and aligns with several att&ck techniques including t1071.008 application layer protocols and t1566 credential access through application exploitation. the attack vector requires authentication which reduces the initial attack surface but still represents a significant privilege escalation risk for organizations where users have legitimate report execution permissions. mitigation strategies should focus on immediate version upgrades to patched releases, implementation of proper parameterized queries, and comprehensive input validation mechanisms. organizations should also consider implementing web application firewalls and monitoring for unusual query patterns that might indicate exploitation attempts. the vulnerability highlights the critical importance of secure coding practices in financial applications where data integrity and access control are paramount security considerations.

this particular flaw demonstrates how seemingly routine functionality like report generation can become a gateway for sophisticated attacks when proper security controls are omitted from the development lifecycle. the fix typically involves implementing robust input sanitization, adopting parameterized query approaches, and ensuring that all user-supplied parameters are properly escaped or validated before database interaction occurs. organizations should conduct thorough security assessments of their apache fineract installations and ensure that all users have appropriate access controls to prevent unauthorized exploitation of this vulnerability across their financial systems.

Responsible

Apache

Reservation

04/01/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00328

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!