Description

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.

INFO

Published Date :

2026-02-24T14:59:21.175Z

Last Modified :

2026-02-27T20:48:57.689Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27584 vulnerability.

Vendors Products
Actualbudget
  • Actual
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27584.

URL Resource
https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88 cve-icon cve-icon
https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact