Security Advisory

CVE-2026-27638

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-26 22:14:21

Last updated 2026-03-02 20:48:53

Assigner GitHub_M

State PUBLISHED

Description

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) dont verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other users budget files by providing their file ID. Version 26.2.1 patches the issue.

← Browse all CVEs View on cve.org ↗