Auth bypass in Actualbudget Actual

CVE-2026-50007

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to perform owner-only file management actions. A non-owner shared user can call fi…

Vulnerability class: Broken Access Control

Affected products

Weakness classification (CWE)

References