What is the CVSS score of CVE-2026-27584?

CVE-2026-27584 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Actual are affected by CVE-2026-27584?

CVE-2026-27584 affects Actual, a local-first personal finance tool used by employees for personal financial management.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27584?

Yes, a public proof-of-concept exploit is available for CVE-2026-27584. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-27584?

Within 24 hours: Identify all systems running Actual and assess usage scope across the organization. Within 7 days: Deploy available vendor patch to all affected instances; communicate mandatory update requirements to end users. Within 30 days: Verify patch deployment completion through vulnerability scanning and document remediation in change management system.

Actual CVE-2026-27584

HIGH

Missing Authentication for Critical Function (CWE-306)

2026-02-24 security-advisories@github.com

GHSA-m2cq-xjgm-f668

Authentication Bypass Information Disclosure Actual

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 26, 2026 - 19:46 vuln.today

Public exploit code

Patch released

Feb 26, 2026 - 19:46 nvd

Patch available

CVE Published

Feb 24, 2026 - 15:21 nvd

HIGH 7.5

DescriptionGitHub Advisory

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.

AnalysisAI

Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send unauthenticated HTTP request to SimpleFIN endpoint

Exploit

Query integration API without credentials

Execution

Retrieve sensitive bank account balances and transactions

Impact

Exfiltrate financial data

Access

Send unauthenticated HTTP request to SimpleFIN endpoint

Exploit

Query integration API without credentials

Execution

Retrieve sensitive bank account balances and transactions

Impact

Exfiltrate financial data

Vulnerability AssessmentAI

Exploitation	ActualBudget Server version prior to 26.2.1 with SimpleFIN or Pluggy.ai integrations configured and exposed on network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.