CVE-2026-27584

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88	Patch
https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*

History

26 Feb 2026, 19:46

Type	Values Removed	Values Added
First Time		Actualbudget Actualbudget actual
References	~~() https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88 -~~	() https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88 - Patch
References	~~() https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668 -~~	() https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:actualbudget:actual::::::node.js::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

24 Feb 2026, 15:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-24 15:21

Updated : 2026-02-26 19:46

NVD link : CVE-2026-27584

Mitre link : CVE-2026-27584

CVE.ORG link : CVE-2026-27584

JSON object : View

Products Affected

actualbudget

actual

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-27584", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-24T15:21:39.010", "references": [{"url": "https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue."}], "lastModified": "2026-02-26T19:46:14.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "E756E18C-B2C7-46B3-AF5A-D5BCC86C53B7", "versionEndExcluding": "26.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}