CVE-2026-27638

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27638
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27638.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27638
Aliases
Published
2026-02-26T22:14:21.481Z
Modified
2026-03-03T02:35:58.160481Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
ActualBudget missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Details

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (/sync/*) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27638.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/actualbudget/actual

Affected ranges

Type
GIT
Repo
https://github.com/actualbudget/actual
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0f77d333ca2609a2401413a6d4a2ffa6f89d760b

Affected versions

v22.*
v22.12.9
v23.*
v23.1.12
v23.10.0
v23.11.0
v23.12.0
v23.2.5
v23.2.9
v23.3.0
v23.3.2
v23.4.0
v23.4.1
v23.4.2
v23.5.0
v23.6.0
v23.7.0
v23.7.1
v23.7.2
v23.8.0
v23.8.1
v23.9.0
v24.*
v24.1.0
v24.10.0
v24.11.0
v24.12.0
v24.2.0
v24.3.0
v24.4.0
v24.5.0
v24.6.0
v24.7.0
v24.8.0
v24.9.0
v25.*
v25.1.0
v25.10.0
v25.11.0
v25.12.0
v25.2.0
v25.3.0
v25.4.0
v25.5.0
v25.6.0
v25.6.1
v25.7.0
v25.7.1
v25.8.0
v25.9.0
v26.*
v26.1.0
v26.2.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27638.json"