Description
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
Published: 2026-02-24
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of bank account balances and transaction history
Action: Apply Patch
AI Analysis

Impact

A missing authentication check on the ActualBudget server exposes the SimpleFIN and Pluggy.ai integration endpoints to any network user, allowing read access to sensitive bank account balances and transaction histories. The flaw is a classic missing authentication weakness (CWE‑306) and can result in the compromise of confidential financial data for all affected users.

Affected Systems

The vulnerability affects the ActualBudget server component for all versions before 26.2.1 when the SimpleFIN or Pluggy.ai integrations are enabled. It applies to any instance reachable over a network, regardless of platform, and applies to all users that have these integrations configured.

Risk and Exploitability

The CVSS base score of 9.2 indicates critical severity. The EPSS score of less than 1% suggests a low general exploitation probability, yet the exposure is still serious because the attacker only needs network connectivity to the server. The vulnerability is not listed in the CISA KEV catalog, meaning it has not yet been reported as a known exploited vulnerability, but the lack of authentication provides an easy attack path for anyone who can reach the server from the internet or an internal network.

Generated by OpenCVE AI on April 16, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ActualBudget Server to version 26.2.1 or later, which includes the authentication fix for the affected endpoints.
  • If upgrading immediately is not possible, restrict inbound access to the server using firewall rules or VPN to only trusted hosts, limiting the attack surface.
  • As a temporary workaround, remove or disable the SimpleFIN and Pluggy.ai integrations until the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2cq-xjgm-f668 ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Actualbudget
Actualbudget actual
Vendors & Products Actualbudget
Actualbudget actual

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
Title ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Actualbudget Actual
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:48:57.689Z

Reserved: 2026-02-20T17:40:28.450Z

Link: CVE-2026-27584

cve-icon Vulnrichment

Updated: 2026-02-27T20:48:54.415Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T15:21:39.010

Modified: 2026-02-26T19:46:14.007

Link: CVE-2026-27584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses