CVE-2026-27638

MEDIUM5.7Auth bypass

Description

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Physical

Affected products

actualbudget / actual< 26.2.1 – < 26.2.1

References

VENDOR_ADVISORYhttps://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv
PATCHhttps://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08
PATCHhttps://github.com/actualbudget/actual/releases/tag/v26.2.1