Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint (AV:N/AC:L) callable by an authenticated low-privilege shared user (PR:L); data deletion/reset gives I:H and A:H, with no data disclosure so C:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users, including /delete-user-file, /reset-user-file, and /user-create-key, because requireFileAccess treats ordinary shared access as sufficient for file-management operations that should be restricted to the file owner or an administrator. This issue is fixed in version 26.7.0.
AnalysisAI
Privilege escalation via broken authorization in Actual (self-hosted open-source budgeting app) before 26.7.0 lets any shared user holding only user_access on a budget file invoke owner-only file-management endpoints. Because requireFileAccess treats ordinary shared access as sufficient, a low-privileged collaborator can call /delete-user-file, /reset-user-file, and /user-create-key to destroy or reset another user's budget data or rotate its encryption key. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be an authenticated shared user holding user_access on the target budget file on a multi-user Actual server before 26.7.0 (PR:L, AV:N, AC:L, UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:N/VI:H/VA:H) scores 7.2 High and is internally consistent with the description: network-reachable, low complexity, requires an authenticated but low-privileged shared user (PR:L), no user interaction, with high integrity and availability impact and no confidentiality impact - matching data destruction/reset rather than data theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A budget owner shares a file with a colleague, granting only ordinary user_access. The colleague, authenticated to the same Actual server, sends a crafted request to /delete-user-file or /reset-user-file for that shared file and - because the authorization check accepts any shared access - the server executes the owner-only operation, wiping or resetting the owner's budget or rotating its encryption key. … |
| Remediation | Vendor-released patch: upgrade Actual to version 26.7.0 or later, which corrects requireFileAccess to enforce owner/administrator privileges on file-management operations (see advisory GHSA-23vm-ffgg-qvjr and fixing commits 18a8dc03c48eeb2e8252669a80673e6a9933b5fd and 3b9e79ed5ee795a80bbae214d6ebb2755289d7f2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Actual instances running versions before 26.7.0 and audit users with budget file sharing permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]
Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endp
Unauthenticated access to the `POST /openid/config` endpoint in Actual Budget sync-server versions <= 26.4.0 exposes the
Path traversal across multiple endpoints in Actual, the open-source self-hosted personal finance application, allows aut
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions up to 26.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42078