CVE-2026-27584
Published: 24 February 2026
Summary
CVE-2026-27584 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Actualbudget Actual. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-27584 is a missing authentication vulnerability (CWE-306) in the ActualBudget server component of Actual, a local-first personal finance tool. In versions prior to 26.2.1, the server lacks authentication middleware for the SimpleFIN and Pluggy.ai integration endpoints, allowing unauthenticated users to query these endpoints and access sensitive bank account balance and transaction information. The vulnerability, published on 2026-02-24 with a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), impacts all ActualBudget Server users who have configured SimpleFIN or Pluggy.ai integrations and expose the server over the network.
An unauthenticated attacker with network access to the ActualBudget Server can exploit this vulnerability by directly querying the affected integration endpoints. Successful exploitation enables the attacker to read the bank account balances and full transaction histories of affected ActualBudget users, resulting in high confidentiality impact without requiring privileges, user interaction, or system disruption.
Version 26.2.1 of Actual patches the issue by adding the necessary authentication middleware. Security practitioners should review the GitHub security advisory at https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668 and the patching commit at https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88 for implementation details and upgrade guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8526
Vulnerability details
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.…
more
This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on network-exposed integration endpoints of a public-facing server directly enables unauthenticated remote access to sensitive data, matching T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations for access to sensitive endpoints, directly addressing the missing authentication middleware that allowed unauthenticated queries to bank data.
Limits and documents user actions permitted without identification or authentication, preventing exposure of sensitive SimpleFIN and Pluggy.ai integration data to unauthenticated attackers.
Mandates identification and authentication for non-organizational users accessing the ActualBudget server, mitigating unauthenticated access to user bank account balances and transactions.