← Volver a CVEs
CVE-2026-27638
HIGH7.1
Descripcion
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
Detalles CVE
Puntuacion CVSS v3.17.1
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado2/26/2026
Ultima modificacion2/27/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
actualbudget:actual
Debilidades (CWE)
CWE-862
Referencias
https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08(security-advisories@github.com)
https://github.com/actualbudget/actual/releases/tag/v26.2.1(security-advisories@github.com)
https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.