CVE-2026-27584

HIGH

ActualBudget <26.2.1 - Info Disclosure

Title source: llm

Description

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.

References (2)

[Vendor Advisory] https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668

[Patch] https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0016

EPSS Percentile 36.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (2)

actual-app/sync-server 0 - 26.2.1npm

actualbudget/actual < 26.2.1

Published Feb 24, 2026

Tracked Since Feb 24, 2026