CVE-2026-27638 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the au…
Medium CVSS: 5.7

CVE-2026-27638

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
Vendor
Actualbudget
Product
Actual
CWE
CWE-862
Yayın Tarihi
2026-02-26 23:16:34
Güncelleme
2026-02-27 17:03:28
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-862 Actual MEDIUM Actualbudget 2026

Referanslar

https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08 https://github.com/actualbudget/actual/releases/tag/v26.2.1 https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv