CVE-2026-27584: ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

February 24, 2026

Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.

References

github.com/actualbudget/actual
github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88
github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668
github.com/advisories/GHSA-m2cq-xjgm-f668
nvd.nist.gov/vuln/detail/CVE-2026-27584

Code Behaviors & Features

Detect and mitigate CVE-2026-27584 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →