Main Vulnerability Database SB2025122304

SB2025122304 - Multiple vulnerabilities in Apache Fineract

Published: December 23, 2025

Security Bulletin ID SB2025122304

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Insufficiently protected credentials (CVE-ID: CVE-2025-58130)

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to the Server Key is not masked in the application's interface. An attacker with ability to snoop on the Apache Fineract administrator can view the Server Key and use it later in attacks against the application.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-58137)

The vulnerability allows a remote user to bypass authorization checks.

The vulnerability exists due to the application does not perform authorization checks within the self-service API endpoint when allowing users to manipulate with application identifiers. A remote user can bypass implemented security restrictions by manipulating parameters in the requests.

Remediation

Install update from vendor's website.

SB2025122304 - Multiple vulnerabilities in Apache Fineract

Breakdown by Severity

Description

Remediation

References

Please verify you're human