Description
Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue.
Published: 2026-01-19
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Financial Modification
Action: Patch Upgrade
AI Analysis

Impact

Whisper Money’s sync/balances endpoint suffers from an insecure direct object reference that allows an authenticated user to modify balances in other users’ bank accounts, potentially leading to unauthorized financial changes. The flaw corresponds to CWE‑639 and CWE‑488. An attacker can manipulate account balances without privilege escalation, resulting in monetary loss or incorrect account state.

Affected Systems

The vulnerability affects the Whisper Money personal finance application before version 0.1.5. Users running any pre‑0.1.5 release are susceptible. The issue has been addressed in version 0.1.5 and later.

Risk and Exploitability

The CVSS score of 4.9 indicates low to medium severity, and the EPSS score is below 1%, suggesting a low probability of observed exploitation. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is a remote user sending crafted requests to the sync/balances endpoint after authenticating, taking advantage of missing ownership checks. Even though exploitation is unlikely, the impact on financial data can be significant.

Generated by OpenCVE AI on April 18, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Whisper Money to version 0.1.5 or newer to eliminate the IDOR flaw.
  • Enforce strict ownership checks on all balance‑modifying endpoints so that only the account owner can update balances.
  • Add logging and monitoring for all balance changes to detect unauthorized activity promptly.

Generated by OpenCVE AI on April 18, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Whisper.money
Whisper.money whisper Money
Weaknesses CWE-639
CPEs cpe:2.3:a:whisper.money:whisper_money:*:*:*:*:*:*:*:*
Vendors & Products Whisper.money
Whisper.money whisper Money
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Whisper-money
Whisper-money whisper-money
Vendors & Products Whisper-money
Whisper-money whisper-money

Mon, 19 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue.
Title Whisper Money has IDOR Vulnerability on sync/balances endpoint
Weaknesses CWE-488
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Whisper-money Whisper-money
Whisper.money Whisper Money
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T15:54:02.974Z

Reserved: 2026-01-16T15:46:40.842Z

Link: CVE-2026-23844

cve-icon Vulnrichment

Updated: 2026-01-20T15:53:52.164Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T21:15:51.207

Modified: 2026-02-05T18:49:26.760

Link: CVE-2026-23844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses