← Zuruck zu CVEs
CVE-2026-27638
HIGH7.1
Beschreibung
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
CVE Details
CVSS v3.1 Bewertung7.1
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht2/26/2026
Zuletzt geandert2/27/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
actualbudget:actual
Schwachen (CWE)
CWE-862
Referenzen
https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08(security-advisories@github.com)
https://github.com/actualbudget/actual/releases/tag/v26.2.1(security-advisories@github.com)
https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.