CVE-2026-27584

Name of the Vulnerable Software and Affected Versions ActualBudget versions prior to 26.2.1

Description A missing authentication check in the ActualBudget server component allows unauthenticated users to access the SimpleFIN and Pluggy.ai integration endpoints. This allows an attacker to read sensitive bank account balance and transaction information for ActualBudget users who have these integrations enabled. The vulnerable endpoints are: /simplefin/status, /simplefin/accounts, /simplefin/transactions, /pluggyai/status, /pluggyai/accounts, and /pluggyai/transactions. The server instance must be reachable over the network for exploitation. The vulnerable source code is located in the actualbudget/actual GitHub repository within the packages/sync-server/src/app-simplefin/app-simplefin.js and packages/sync-server/src/app-pluggyai/app-pluggyai.js files. An example of a properly authenticated integration is found in packages/sync-server/src/app-gocardless/app-gocardless.js. Exploitation can be performed using curl commands to query the endpoints without authentication, retrieving account details and transaction history. Example responses include account names, balances, transaction details, and associated metadata.

Recommendations Update to version 26.2.1 or later to resolve this issue.