Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network API exploitable with low-privilege share token; no scope change or confidentiality/availability impact, only limited tag integrity modification.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.
AnalysisAI
Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid read-only share token that was explicitly issued by the target Ghostfolio user - this token is the Impersonation-Id header value. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) scoring 5.3 Medium accurately reflects the constrained impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has been granted a read-only share token by a Ghostfolio user crafts a PUT request to /api/v1/portfolio/holding/:dataSource/:symbol/tags, supplying the victim's portfolio identifier in the Impersonation-Id header and an arbitrary tag payload in the request body. Because the endpoint does not verify that the token's Access.permissions field permits write operations, the server processes the modification and corrupts the victim's holding tags, skewing portfolio reports and category-based analytics without the victim's knowledge. … |
| Remediation | The primary fix is to update Ghostfolio to the version incorporating commit 697ef59e3b58bebc5c21a9e482e4f5643390f316, which addresses the missing permission check in the tag modification endpoint; the exact release version number is not independently confirmed from available data, so operators should verify against the upstream changelog at https://github.com/ghostfolio/ghostfolio. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ghostfolio
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42046
GHSA-w8j2-252j-wp53