CVE-2026-27638

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.2.1

Description Actual is a local-first personal finance tool. In multi-user mode (OpenID), the sync API endpoints (/sync/*) do not verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. The issue affects the following API endpoints: /sync/download-user-file, /sync/upload-user-file, /sync/sync, /sync/user-get-key, /sync/user-create-key, /sync/reset-user-file, /sync/update-user-filename, and /sync/get-user-file-info. The validateSessionMiddleware confirms user authentication, but endpoints lack checks to ensure the user owns or has access to the file. File IDs can be discovered through various methods, including admin access and user sharing. This allows an attacker to steal financial data, modify budgets, and tamper with encryption keys.

Recommendations Update to version 26.2.1 or later.