Skip to main content

Ghostfolio CVE-2026-59709

| EUVDEUVD-2026-42046 MEDIUM
Missing Authorization (CWE-862)
2026-07-07 VulnCheck GHSA-w8j2-252j-wp53
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network API exploitable with low-privilege share token; no scope change or confidentiality/availability impact, only limited tag integrity modification.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 15:20 vuln.today

DescriptionCVE.org

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.

AnalysisAI

Ghostfolio's portfolio sharing impersonation feature exposes a missing authorization check on the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, allowing holders of read-only share tokens to modify portfolio holding tags they should only be able to view. Any user granted read-only access to another user's portfolio can exploit this flaw to assign or remove tags on holdings, silently corrupting the victim's portfolio categorization, reporting, and analytics. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain read-only share token from victim
Delivery
Send PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags with Impersonation-Id header
Exploit
Server authenticates token but skips permission check
Execution
Arbitrary tags assigned or removed on victim holdings
Impact
Portfolio categorization and reports silently corrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid read-only share token that was explicitly issued by the target Ghostfolio user - this token is the Impersonation-Id header value. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) scoring 5.3 Medium accurately reflects the constrained impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has been granted a read-only share token by a Ghostfolio user crafts a PUT request to /api/v1/portfolio/holding/:dataSource/:symbol/tags, supplying the victim's portfolio identifier in the Impersonation-Id header and an arbitrary tag payload in the request body. Because the endpoint does not verify that the token's Access.permissions field permits write operations, the server processes the modification and corrupts the victim's holding tags, skewing portfolio reports and category-based analytics without the victim's knowledge. …
Remediation The primary fix is to update Ghostfolio to the version incorporating commit 697ef59e3b58bebc5c21a9e482e4f5643390f316, which addresses the missing permission check in the tag modification endpoint; the exact release version number is not independently confirmed from available data, so operators should verify against the upstream changelog at https://github.com/ghostfolio/ghostfolio. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy