CVE-2026-27638 Overview
CVE-2026-27638 is a Broken Access Control vulnerability affecting Actual, a local-first personal finance tool. Prior to version 26.2.1, when operating in multi-user mode with OpenID authentication, the sync API endpoints (/sync/*) fail to verify that the authenticated user owns or has access to the file being operated on. This missing authorization check allows any authenticated user to read, modify, and overwrite any other user's budget files simply by providing the target file ID.
Critical Impact
Authenticated attackers can access, modify, or delete other users' sensitive financial data including budget files, transaction histories, and personal financial information without authorization.
Affected Products
- Actual Budget (versions prior to 26.2.1)
- Actual Sync Server with OpenID multi-user mode enabled
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27638 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27638
Vulnerability Analysis
This vulnerability stems from a Missing Authorization (CWE-862) flaw in the Actual sync server component. When operating in multi-user mode with OpenID authentication, the application correctly authenticates users but fails to implement proper authorization checks on the sync API endpoints. The sync endpoints accept a file ID parameter but do not validate whether the requesting user has legitimate access to that file.
The vulnerability affects the network-accessible sync API, requiring low complexity to exploit. An attacker needs only low-privilege authentication (any valid user account) and no user interaction to exploit this flaw. The primary impact is to data integrity, as attackers can read sensitive financial information and modify or delete other users' budget data.
Root Cause
The root cause is the absence of file ownership verification in the sync API endpoint handlers. The app-sync.ts module processes sync requests without checking if the authenticated user has permission to access the requested file ID. The fix introduces a user service (UserService) to enforce file access authorization and includes a database migration to backfill file ownership data for existing records.
Attack Vector
The attack vector is network-based, exploiting the sync API endpoints. An attacker with a valid authenticated session can enumerate or guess file IDs belonging to other users and perform unauthorized operations on those files. The attack requires:
- Obtaining valid authentication credentials (any user account)
- Identifying target file IDs (through enumeration or other information disclosure)
- Sending crafted requests to /sync/* endpoints with the target file ID
The security patch introduces authorization checks by importing the UserService module to validate file access:
validateUploadedFile,
} from './app-sync/validation';
import { config } from './load-config';
+import * as UserService from './services/user-service';
import * as simpleSync from './sync-simple';
import {
errorMiddleware,
Source: GitHub Commit Details
Additionally, a database migration was added to backfill file ownership for existing records:
+import { getAccountDb } from '../src/account-db';
+
+export const up = async function () {
+ const accountDb = getAccountDb();
+
+ const admin = accountDb.first(
+ 'SELECT id FROM users WHERE role = ? ORDER BY id LIMIT 1',
+ ['ADMIN'],
+ );
+ if (admin) {
+ accountDb.mutate('UPDATE files SET owner = ? WHERE owner IS NULL', [
+ admin.id,
+ ]);
+ }
+};
+
+export const down = async function () {
+ // Cannot reliably restore NULL owner for backfilled rows; no-op.
+};
Source: GitHub Commit Details
Detection Methods for CVE-2026-27638
Indicators of Compromise
- Unusual access patterns to /sync/* API endpoints from authenticated users accessing multiple file IDs
- API requests containing file IDs that do not belong to the authenticated user
- Unexpected modifications to budget files without corresponding user sessions
- Audit logs showing cross-user file access attempts
Detection Strategies
- Implement logging of all sync API requests with user ID and file ID correlation
- Monitor for authenticated users accessing file IDs not associated with their account
- Review web server access logs for anomalous patterns on /sync/* endpoints
- Deploy application-level monitoring to track file access authorization failures
Monitoring Recommendations
- Enable detailed audit logging for all sync operations including user identity and file ownership
- Set up alerts for failed authorization checks once the patch is applied
- Monitor for bulk file ID enumeration attempts through rate limiting analysis
- Review historical logs for potential past exploitation if running vulnerable versions
How to Mitigate CVE-2026-27638
Immediate Actions Required
- Upgrade Actual Budget to version 26.2.1 or later immediately
- If upgrade is not immediately possible, consider temporarily disabling multi-user OpenID mode
- Review audit logs for any signs of unauthorized file access
- Notify users to verify the integrity of their budget data
Patch Information
The vulnerability is patched in Actual version 26.2.1. The fix implements proper file access authorization checks in the sync API endpoints and includes a database migration to ensure all existing files have proper ownership records. Administrators should upgrade to the patched version by following the GitHub Release v26.2.1 instructions. For detailed technical information about the security fix, refer to the GitHub Security Advisory GHSA-qmjj-p7m9-wjrv.
Workarounds
- Disable multi-user OpenID mode and operate in single-user mode until the patch can be applied
- Implement network-level access controls to restrict sync API access to trusted networks only
- Deploy a reverse proxy with additional authorization checks in front of the Actual server
- Consider temporarily taking the service offline if sensitive financial data is at risk
# Configuration example - Restrict access via nginx until patched
location /sync/ {
# Temporarily restrict sync API to internal network only
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
proxy_pass http://actual-server:5006;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
