Skip to main content

Actual EUVDEUVD-2026-42078

| CVE-2026-50007 HIGH
Missing Authorization (CWE-862)
2026-07-07 GitHub_M
7.2
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable endpoint (AV:N/AC:L) callable by an authenticated low-privilege shared user (PR:L); data deletion/reset gives I:H and A:H, with no data disclosure so C:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 22:01 EUVD
Analysis Generated
Jul 07, 2026 - 21:37 vuln.today

DescriptionCVE.org

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users, including /delete-user-file, /reset-user-file, and /user-create-key, because requireFileAccess treats ordinary shared access as sufficient for file-management operations that should be restricted to the file owner or an administrator. This issue is fixed in version 26.7.0.

AnalysisAI

Privilege escalation via broken authorization in Actual (self-hosted open-source budgeting app) before 26.7.0 lets any shared user holding only user_access on a budget file invoke owner-only file-management endpoints. Because requireFileAccess treats ordinary shared access as sufficient, a low-privileged collaborator can call /delete-user-file, /reset-user-file, and /user-create-key to destroy or reset another user's budget data or rotate its encryption key. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as shared user_access collaborator
Delivery
Target owner's shared budget file
Exploit
Call /delete-user-file or /reset-user-file
Execution
requireFileAccess wrongly authorizes request
Impact
Destroy/reset budget or rotate encryption key

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be an authenticated shared user holding user_access on the target budget file on a multi-user Actual server before 26.7.0 (PR:L, AV:N, AC:L, UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:N/VI:H/VA:H) scores 7.2 High and is internally consistent with the description: network-reachable, low complexity, requires an authenticated but low-privileged shared user (PR:L), no user interaction, with high integrity and availability impact and no confidentiality impact - matching data destruction/reset rather than data theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A budget owner shares a file with a colleague, granting only ordinary user_access. The colleague, authenticated to the same Actual server, sends a crafted request to /delete-user-file or /reset-user-file for that shared file and - because the authorization check accepts any shared access - the server executes the owner-only operation, wiping or resetting the owner's budget or rotating its encryption key. …
Remediation Vendor-released patch: upgrade Actual to version 26.7.0 or later, which corrects requireFileAccess to enforce owner/administrator privileges on file-management operations (see advisory GHSA-23vm-ffgg-qvjr and fixing commits 18a8dc03c48eeb2e8252669a80673e6a9933b5fd and 3b9e79ed5ee795a80bbae214d6ebb2755289d7f2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Actual instances running versions before 26.7.0 and audit users with budget file sharing permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy