CVE-2026-27584

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88	Patch
https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-02-24 15:21

Updated : 2026-02-26 19:46

NVD link : CVE-2026-27584

Mitre link : CVE-2026-27584

CVE.ORG link : CVE-2026-27584

JSON object : View

Products Affected

actualbudget

actual

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-27584", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-24T15:21:39.010", "references": [{"url": "https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue."}, {"lang": "es", "value": "Actual es una herramienta de finanzas personales local-first. Antes de la versi\u00f3n 26.2.1, la falta de middleware de autenticaci\u00f3n en el componente de servidor de ActualBudget permit\u00eda a cualquier usuario no autenticado consultar los endpoints de integraci\u00f3n de SimpleFIN y Pluggy.ai y leer informaci\u00f3n sensible sobre el saldo de cuentas bancarias y transacciones. Esta vulnerabilidad permite a un atacante no autenticado leer el saldo de la cuenta bancaria y el historial de transacciones de los usuarios de ActualBudget. Esta vulnerabilidad afecta a todos los usuarios del servidor de ActualBudget con las integraciones de SimpleFIN o Pluggy.ai configuradas. La instancia del servidor de ActualBudget debe ser accesible a trav\u00e9s de la red. La versi\u00f3n 26.2.1 corrige el problema."}], "lastModified": "2026-02-26T19:46:14.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E756E18C-B2C7-46B3-AF5A-D5BCC86C53B7", "versionEndExcluding": "26.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}