CVE-2026-27638 — HIGH (7.1)

Q: How severe is CVE-2026-27638?

CVE-2026-27638 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-27638?

Check the references section above for vendor advisories and patch information. Affected products include: Actualbudget Actual.

Vulnerability Description

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Actualbudget	Actual	< 26.2.1

Related Weaknesses (CWE)

CWE-862

References

https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efPatch
https://github.com/actualbudget/actual/releases/tag/v26.2.1ProductRelease Notes
https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrvExploitVendor Advisory

FAQ

What is CVE-2026-27638?

CVE-2026-27638 is a vulnerability with a CVSS score of 7.1 (HIGH). Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to t...

How severe is CVE-2026-27638?

CVE-2026-27638 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-27638?

Check the references section above for vendor advisories and patch information. Affected products include: Actualbudget Actual.