CVE-2026-27584
published 2026-02-24CVE-2026-27584: Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any…
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.40%
31.4th percentile
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| actual-app | sync-server | >= 0 < 26.2.1 | 26.2.1 |
| actualbudget | actual | < 26.2.1 | 26.2.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
ghsa·2026-02-24
CVE-2026-27584 [CRITICAL] CWE-306 ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
### Summary
Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.
### Impact
This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network.
### Details
The ActualBudget server component allows for integration with SimpleFIN and Pluggy.ai services. These services read b
OSV
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
osv·2026-02-24
CVE-2026-27584 [CRITICAL] ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
### Summary
Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.
### Impact
This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network.
### Details
The ActualBudget server component allows for integration with SimpleFIN and Pluggy.ai services. These services read b
No detection rules found.
No public exploits indexed.
2026-02-24
Published