Iamsilk

**Name of the Vulnerable Software and Affected Versions** ActualBudget versions prior to 26.2.1 **Description** A missing authentication check in the ActualBudget server component allows unauthenticated users to access the SimpleFIN and Pluggy.ai integration endpoints. This allows an attacker to read sensitive bank account balance and transaction information for ActualBudget users who have these integrations enabled. The vulnerable endpoints are: `/simplefin/status`, `/simplefin/accounts`, `/simplefin/transactions`, `/pluggyai/status`, `/pluggyai/accounts`, and `/pluggyai/transactions`. The server instance must be reachable over the network for exploitation. The vulnerable source code is located in the `actualbudget/actual` GitHub repository within the `packages/sync-server/src/app-simplefin/app-simplefin.js` and `packages/sync-server/src/app-pluggyai/app-pluggyai.js` files. An example of a properly authenticated integration is found in `packages/sync-server/src/app-gocardless/app-gocardless.js`. Exploitation can be performed using `curl` commands to query the endpoints without authentication, retrieving account details and transaction history. Example responses include account names, balances, transaction details, and associated metadata. **Recommendations** Update to version 26.2.1 or later to resolve this issue.