Auth bypass in Actualbudget Actual

CVE-2026-27638

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenti…

Vulnerability class: Broken Access Control

EPSS: 0.000 (12.1th percentile) — read the EPSS interpretation.

Affected products

Actualbudget Actual — versions < 26.2.1

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv (x_refsource_CONFIRM)
https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08 (x_refsource_MISC)
https://github.com/actualbudget/actual/releases/tag/v26.2.1 (x_refsource_MISC)