Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID.
Version 26.2.1 patches the issue.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Actualbudget Actual
cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*
|
— |
26.2.1
|
References 3
https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401e…
security-advisories@github.com
https://github.com/actualbudget/actual/releases/tag/v26.2.1
security-advisories@github.com
https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv
security-advisories@github.com