Is Actual affected by CVE-2026-27638?

Actual personal finance application versions prior to 26.2.1 contain an authorization bypass vulnerability in multi-user environments that allows authenticated users to access financial data belonging to other users through the sync API.

CVE-2026-27638

HIGH

2026-02-26 [email protected]

GHSA-qmjj-p7m9-wjrv

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

PoC Detected

Feb 27, 2026 - 17:03 vuln.today

Public exploit code

Patch Released

Feb 27, 2026 - 17:03 nvd

Patch available

CVE Published

Feb 26, 2026 - 23:16 nvd

HIGH 7.1

Description

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.

Analysis

Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endpoints, allowing any authenticated user to read, modify, or overwrite other users' budget files. Public exploit code exists for this vulnerability. …

Remediation

Within 24 hours: Identify all instances of Actual running version prior to 26.2.1 in multi-user (OpenID) mode and document which employees have access; assess whether sensitive financial data is stored. Within 7 days: Upgrade all affected Actual installations to version 26.2.1 or later, and verify patch deployment through API testing. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: +20

CVE-2026-27638 vulnerability details – vuln.today

Back

CVE-2026-27638

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-27638

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code