CVE-2026-27638
Published: 26 February 2026
Summary
CVE-2026-27638 is a medium-severity Missing Authorization (CWE-862) vulnerability in Actualbudget Actual. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2026-27638 is a missing authorization vulnerability (CWE-862) in Actual, a local-first personal finance tool. Prior to version 26.2.1, the sync API endpoints (/sync/*) in multi-user mode (using OpenID) do not verify that an authenticated user owns or has access to the file being operated on. This allows unauthorized access to budget files and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
Any authenticated user with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. By simply providing the file ID of another user's budget file, an attacker can read its contents (low confidentiality impact), modify it, or overwrite it entirely (high integrity impact), potentially compromising sensitive financial data of other users in the multi-user environment.
The vulnerability is addressed in Actual version 26.2.1, which includes a patch to enforce proper file ownership and access checks in the sync API. Mitigation requires upgrading to this version or later. Details are provided in the GitHub security advisory (GHSA-qmjj-p7m9-wjrv), release notes for v26.2.1, and the fixing commit (9966c024cb75f57943193cac8e42f401efed9d08).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8905
Vulnerability details
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can…
more
read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on sync API enables network exploitation of public-facing app (T1190) for unauthorized read of budget files (T1005) and stored data overwrite/manipulation (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on /sync/* endpoints so an authenticated user cannot read or modify another user's budget file by supplying only its ID.
Requires that each user's privileges be limited to only the budget files they own, preventing the broad file-ID access that the missing check permitted.
Ensures access-control decisions are made and enforced at the point of each sync-API operation rather than relying solely on prior authentication.