CVE-2026-27638
Published: 26 February 2026
Summary
CVE-2026-27638 is a high-severity Missing Authorization (CWE-862) vulnerability in Actualbudget Actual. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on sync API enables network exploitation of public-facing app (T1190) for unauthorized read of budget files (T1005) and stored data overwrite/manipulation (T1565.001).
NVD Description
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can…
more
read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
Deeper analysisAI
CVE-2026-27638 is a missing authorization vulnerability (CWE-862) in Actual, a local-first personal finance tool. Prior to version 26.2.1, the sync API endpoints (/sync/*) in multi-user mode (using OpenID) do not verify that an authenticated user owns or has access to the file being operated on. This allows unauthorized access to budget files and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
Any authenticated user with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. By simply providing the file ID of another user's budget file, an attacker can read its contents (low confidentiality impact), modify it, or overwrite it entirely (high integrity impact), potentially compromising sensitive financial data of other users in the multi-user environment.
The vulnerability is addressed in Actual version 26.2.1, which includes a patch to enforce proper file ownership and access checks in the sync API. Mitigation requires upgrading to this version or later. Details are provided in the GitHub security advisory (GHSA-qmjj-p7m9-wjrv), release notes for v26.2.1, and the fixing commit (9966c024cb75f57943193cac8e42f401efed9d08).
Details
- CWE(s)