CVE-2026-27638

CVSS v4.0

7.1

High

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.2.1

Description A flaw exists in Actual, a personal finance tool, where the sync API endpoints do not properly verify user access permissions in multi-user mode (OpenID). This allows any authenticated user to read, modify, and overwrite budget files belonging to other users by providing the file ID. The affected API endpoints are /sync/*. The vulnerable parameter is the file ID.

Recommendations Update to version 26.2.1 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-27638

GHSA-QMJJ-P7M9-WJRV

Affected Products

Actual

CVE-2026-27638

Weakness Enumeration

Related Identifiers

Affected Products

References · 13