Auth bypass in Actualbudget Actual

CVE-2026-27584

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and r…

Vulnerability class: Broken Authentication

EPSS: 0.002 (38.0th percentile) — read the EPSS interpretation.

Affected products

Actualbudget Actual — versions < 26.2.1

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668 (x_refsource_CONFIRM)
https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88 (x_refsource_MISC)