Cyber Resilience

CVE-2026-27584

CriticalPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27584 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Actualbudget Actual. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-27584 is a missing authentication vulnerability (CWE-306) in the ActualBudget server component of Actual, a local-first personal finance tool. In versions prior to 26.2.1, the server lacks authentication middleware for the SimpleFIN and Pluggy.ai integration endpoints, allowing unauthenticated users to query these endpoints and access sensitive bank account balance and transaction information. The vulnerability, published on 2026-02-24 with a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), impacts all ActualBudget Server users who have configured SimpleFIN or Pluggy.ai integrations and expose the server over the network.

An unauthenticated attacker with network access to the ActualBudget Server can exploit this vulnerability by directly querying the affected integration endpoints. Successful exploitation enables the attacker to read the bank account balances and full transaction histories of affected ActualBudget users, resulting in high confidentiality impact without requiring privileges, user interaction, or system disruption.

Version 26.2.1 of Actual patches the issue by adding the necessary authentication middleware. Security practitioners should review the GitHub security advisory at https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668 and the patching commit at https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88 for implementation details and upgrade guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.…

more

This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on network-exposed integration endpoints of a public-facing server directly enables unauthenticated remote access to sensitive data, matching T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27638Same product: Actualbudget Actual
CVE-2026-33318Same product: Actualbudget Actual
CVE-2026-4810Shared CWE-306
CVE-2026-32211Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306

Affected Assets

actualbudget
actual
≤ 26.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for access to sensitive endpoints, directly addressing the missing authentication middleware that allowed unauthenticated queries to bank data.

prevent

Limits and documents user actions permitted without identification or authentication, preventing exposure of sensitive SimpleFIN and Pluggy.ai integration data to unauthenticated attackers.

prevent

Mandates identification and authentication for non-organizational users accessing the ActualBudget server, mitigating unauthenticated access to user bank account balances and transactions.

References