Cyber Resilience

CVE-2026-27638

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 12.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27638 is a medium-severity Missing Authorization (CWE-862) vulnerability in Actualbudget Actual. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-27638 is a missing authorization vulnerability (CWE-862) in Actual, a local-first personal finance tool. Prior to version 26.2.1, the sync API endpoints (/sync/*) in multi-user mode (using OpenID) do not verify that an authenticated user owns or has access to the file being operated on. This allows unauthorized access to budget files and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

Any authenticated user with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. By simply providing the file ID of another user's budget file, an attacker can read its contents (low confidentiality impact), modify it, or overwrite it entirely (high integrity impact), potentially compromising sensitive financial data of other users in the multi-user environment.

The vulnerability is addressed in Actual version 26.2.1, which includes a patch to enforce proper file ownership and access checks in the sync API. Mitigation requires upgrading to this version or later. Details are provided in the GitHub security advisory (GHSA-qmjj-p7m9-wjrv), release notes for v26.2.1, and the fixing commit (9966c024cb75f57943193cac8e42f401efed9d08).

EU & UK References

Vulnerability details

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can…

more

read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Missing authorization on sync API enables network exploitation of public-facing app (T1190) for unauthorized read of budget files (T1005) and stored data overwrite/manipulation (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33318Same product: Actualbudget Actual
CVE-2026-27584Same product: Actualbudget Actual
CVE-2026-25810Shared CWE-862
CVE-2025-0952Shared CWE-862
CVE-2025-24591Shared CWE-862
CVE-2026-27386Shared CWE-862
CVE-2025-11791Shared CWE-862
CVE-2026-34053Shared CWE-862
CVE-2026-3360Shared CWE-862
CVE-2026-4277Shared CWE-862

Affected Assets

actualbudget
actual
≤ 26.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on /sync/* endpoints so an authenticated user cannot read or modify another user's budget file by supplying only its ID.

prevent

Requires that each user's privileges be limited to only the budget files they own, preventing the broad file-ID access that the missing check permitted.

prevent

Ensures access-control decisions are made and enforced at the point of each sync-API operation rather than relying solely on prior authentication.

References