Description

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.

INFO

Published Date :

2026-02-26T22:14:21.481Z

Last Modified :

2026-03-02T20:48:53.277Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27638 vulnerability.

Vendors Products
Actualbudget
  • Actual
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27638.

URL Resource
https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08 cve-icon cve-icon
https://github.com/actualbudget/actual/releases/tag/v26.2.1 cve-icon cve-icon
https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact