CVE-2026-27638
published 2026-02-26CVE-2026-27638: Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the…
PriorityP342high7.1CVSS 3.1
AVNACLPRLUINSUCLIHAN
EPSS
0.29%
21.1th percentile
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| actual-app | sync-server | >= 0 < 26.2.1 | 26.2.1 |
| actualbudget | actual | < 26.2.1 | 26.2.1 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
nvdv4.05.7MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
osv·2026-02-27
CVE-2026-27638 [MEDIUM] @actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
In multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID.
## Affected Code
File: `packages/sync-server/src/app-sync.ts`
The `validateSessionMiddleware` on line 31 confirms the user is authenticated, but individual endpoints only check that the file *exists* (via `verifyFileExists`), never that the requesting user *owns* or *has access to* the file.
Compare with `POST /sync/delete-user-file` (lines 394-430) which correctly checks:
```js
const isOwner = file.own
GHSA
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
ghsa·2026-02-27
CVE-2026-27638 [MEDIUM] CWE-862 @actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
In multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID.
## Affected Code
File: `packages/sync-server/src/app-sync.ts`
The `validateSessionMiddleware` on line 31 confirms the user is authenticated, but individual endpoints only check that the file *exists* (via `verifyFileExists`), never that the requesting user *owns* or *has access to* the file.
Compare with `POST /sync/delete-user-file` (lines 394-430) which correctly checks:
```js
const isOwner = file.own
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27638 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-27638 [MEDIUM] CVE-2026-27638 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27638 :
JavaScript vulnerability analysis and mitigation
/sync/*
Source : NVD
## 5.7
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@actual-app/sync-server
actual
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Tec
Bugzilla
CVE-2026-23919 zabbix7.0: Zabbix Server and Proxy: Information disclosure via reused JavaScript contexts [epel-all]
bugzilla·2026-03-24·CVSS 7.1
CVE-2026-23919 [HIGH] CVE-2026-23919 zabbix7.0: Zabbix Server and Proxy: Information disclosure via reused JavaScript contexts [epel-all]
CVE-2026-23919 zabbix7.0: Zabbix Server and Proxy: Information disclosure via reused JavaScript contexts [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
https://support.zabbix.com/browse/ZBX-27638
Bugzilla
CVE-2026-23919 zabbix6.0: Zabbix Server and Proxy: Information disclosure via reused JavaScript contexts [epel-all]
bugzilla·2026-03-24·CVSS 7.1
CVE-2026-23919 [HIGH] CVE-2026-23919 zabbix6.0: Zabbix Server and Proxy: Information disclosure via reused JavaScript contexts [epel-all]
CVE-2026-23919 zabbix6.0: Zabbix Server and Proxy: Information disclosure via reused JavaScript contexts [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
https://support.zabbix.com/browse/ZBX-27638
2026-02-26
Published