CVE-2026-27638: @actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
In multi-user mode (OpenID), the sync API endpoints (/sync/*) don’t verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user’s budget files by providing their file ID.
References
- github.com/actualbudget/actual
- github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08
- github.com/actualbudget/actual/releases/tag/v26.2.1
- github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv
- github.com/advisories/GHSA-qmjj-p7m9-wjrv
- nvd.nist.gov/vuln/detail/CVE-2026-27638
Code Behaviors & Features
Detect and mitigate CVE-2026-27638 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →