What is the CVSS score of CVE-2026-27638?

CVE-2026-27638 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Actual are affected by CVE-2026-27638?

Actual personal finance application versions prior to 26.2.1 contain an authorization bypass vulnerability in multi-user environments that allows authenticated users to access financial data…. A patch is available.

Is there a public PoC exploit available for CVE-2026-27638?

Yes, a public proof-of-concept exploit is available for CVE-2026-27638. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-27638?

Within 24 hours: Identify all instances of Actual running version prior to 26.2.1 in multi-user (OpenID) mode and document which employees have access; assess whether sensitive financial data is stored. Within 7 days: Upgrade all affected Actual installations to version 26.2.1 or later, and verify patch deployment through API testing. Within 30 days: Conduct access logs review for the past 90 days to detect unauthorized sync API calls, reset authentication credentials for all users, and implement additional access controls if multi-user mode is business-critical.

Actual CVE-2026-27638

HIGH

Missing Authorization (CWE-862)

2026-02-26 security-advisories@github.com

GHSA-qmjj-p7m9-wjrv

Authentication Bypass Actual

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

PoC Detected

Feb 27, 2026 - 17:03 vuln.today

Public exploit code

Patch released

Feb 27, 2026 - 17:03 nvd

Patch available

CVE Published

Feb 26, 2026 - 23:16 nvd

HIGH 7.1

DescriptionGitHub Advisory

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (/sync/*) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.

AnalysisAI

Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endpoints, allowing any authenticated user to read, modify, or overwrite other users' budget files. Public exploit code exists for this vulnerability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate via OpenID in multi-user mode

Exploit

Request sync API endpoint with arbitrary file ID

Execution

Access another user's budget file

Impact

Read, modify, or overwrite victim's financial data

Access

Authenticate via OpenID in multi-user mode

Exploit

Request sync API endpoint with arbitrary file ID

Execution

Access another user's budget file

Impact

Read, modify, or overwrite victim's financial data

Vulnerability AssessmentAI

Exploitation	Multi-user mode with OpenID authentication enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.1 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker (requires authentication) could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all instances of Actual running version prior to 26.2.1 in multi-user (OpenID) mode and document which employees have access; assess whether sensitive financial data is stored. …

Threat intelligence, references, and detailed analysis are available after sign-in.