CVE-2026-57821
Received Received - Intake

SQL Injection in Apache Fineract via Office Search API

Vulnerability report for CVE-2026-57821, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: Apache Software Foundation

Description

A SQL Injection vulnerability exists in Apache Fineract's Office Search API (GET /api/v1/offices) in versions up to and including 1.14.0. The orderBy request parameter is concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view offices to inject arbitrary SQL via a crafted orderBy value. This is a bypass of the ColumnValidator fix introduced for CVE-2024-32838, which does not detect bare subqueries in the ORDER BY position. This can be leveraged to perform time-based blind SQL injection for data exfiltration. Because the injected query blocks the database connection for its full duration, concurrent exploitation can exhaust the application's database connection pool, resulting in denial of service for other users. Users are recommended to upgrade to a version containing the fix.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache fineract to 1.14.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a SQL Injection vulnerability in Apache Fineract's Office Search API (GET /api/v1/offices) affecting versions up to 1.14.0. The orderBy parameter is directly concatenated into a SQL query without proper validation, allowing authenticated users with office view permissions to inject malicious SQL code. This bypasses a previous fix (CVE-2024-32838) that didn't detect bare subqueries in ORDER BY clauses.

Executive Summary

This is a SQL Injection vulnerability in Apache Fineract's Office Search API (GET /api/v1/offices) affecting versions up to 1.14.0. The orderBy parameter is directly concatenated into a SQL query without proper validation, allowing authenticated users with office view permissions to inject malicious SQL commands. This bypasses a previous fix (CVE-2024-32838) by enabling bare subqueries in ORDER BY clauses. Exploitation can lead to time-based blind SQL injection for data theft or database connection exhaustion causing denial of service.

Impact Analysis

If you use Apache Fineract versions up to 1.14.0, an attacker with valid credentials and office view permissions could steal sensitive data through SQL injection. They could also crash the system by overwhelming the database connection pool, blocking access for all users. The impact includes potential data breaches, service disruption, and compliance violations.

Compliance Impact

This vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection principles and HIPAA's security requirements for protected health information. Successful exploitation may result in regulatory fines, legal liabilities, and reputational damage due to non-compliance with data security standards.

Detection Guidance

To detect this vulnerability, monitor for unusual SQL query patterns or errors in your Apache Fineract logs. Check for requests to /api/v1/offices with orderBy parameters containing SQL keywords like UNION, SELECT, or subqueries. Use network traffic analysis tools to inspect HTTP GET requests for suspicious orderBy values.

Mitigation Strategies

Upgrade Apache Fineract to a version containing the fix for CVE-2026-57821. If upgrading is not immediately possible, restrict access to the /api/v1/offices endpoint to trusted users only. Implement strict input validation for the orderBy parameter by enforcing a predefined allowlist of column names (id, name, nameDecorated, externalId, hierarchy, openingDate).

Impact Analysis

An attacker could exfiltrate sensitive data through time-based blind SQL injection. Additionally, exploiting this vulnerability consumes database connections for extended periods, potentially causing denial of service for other users by exhausting the connection pool.

Compliance Impact

This vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection principles and HIPAA's security requirements for protected health information. Organizations using affected versions may face compliance violations and potential regulatory penalties.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57821. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart