Description
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
Published: 2026-02-26
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data access
Action: Immediate Patch
AI Analysis

Impact

Actual, a local‑first personal finance tool, had a missing authorization check in its sync API endpoints before version 26.2.1. The flaw is a CWE‑862 privilege escalation that allows any authenticated user in multi‑user mode to read, modify, and overwrite any other user’s budget files by supplying the file’s identifier. This results in a confidentiality breach and integrity compromise of sensitive financial information.

Affected Systems

The vulnerability affects installations of actualbudget:actual on all platform versions prior to release 26.2.1 released in March 2026. Subsequent releases include the necessary patch to enforce proper ownership verification on the sync endpoints.

Risk and Exploitability

The CVSS score of 5.7 classifies the issue as moderate severity, and the EPSS score of less than 1 % indicates a low probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the application and possess knowledge of a target user’s budget file ID. Successful exploitation would grant direct access to that user’s data, allowing data extraction or tampering. Given the low exploitation probability and the requirement of authenticated access, the overall risk to environments already employing the latest patch remains low, but unpatched deployments remain vulnerable.

Generated by OpenCVE AI on April 16, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the official 26.2.1 release or later which includes the missing authorization check for /sync/* endpoints.
  • Audit and strengthen the authorization logic for the sync API routes so that any operation first confirms the authenticated OpenID user owns or has explicit access to the requested file ID.
  • Implement strict validation of file identifiers so that requests for files not belonging to the current user are rejected or redirected, thereby preventing cross‑user data exposure.

Generated by OpenCVE AI on April 16, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qmjj-p7m9-wjrv @actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
History

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Actualbudget
Actualbudget actual
Vendors & Products Actualbudget
Actualbudget actual

Thu, 26 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
Title ActualBudget missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Actualbudget Actual
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T20:48:53.277Z

Reserved: 2026-02-20T22:02:30.029Z

Link: CVE-2026-27638

cve-icon Vulnrichment

Updated: 2026-03-02T20:48:50.439Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:34.807

Modified: 2026-02-27T17:03:28.260

Link: CVE-2026-27638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses