QwikSec

Security Database

CVE

CWE

Training

CVE-2026-27638

Published: Feb 26, 2026

Modified: Mar 2, 2026

PUBLISHED

Description

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.

Vendor	Product	Versions
actualbudget	actual	affected `< 26.2.1`

Weaknesses (CWE)

References

https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv

x_refsource_CONFIRM

https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08

x_refsource_MISC

https://github.com/actualbudget/actual/releases/tag/v26.2.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.