DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27638: Actual Budget Sync Authorization Bypass (IDOR)

#security #cve #cybersecurity

Actual Budget Sync Authorization Bypass (IDOR)

Vulnerability ID: CVE-2026-27638
CVSS Score: 7.1
Published: 2026-02-27

A critical authorization flaw exists in Actual Budget's synchronization server, specifically affecting multi-user deployments. The vulnerability allows authenticated users to access, modify, or delete budget files belonging to other users due to missing ownership verification checks in the sync endpoints. This effectively constitutes an Insecure Direct Object Reference (IDOR) where knowledge of a file's UUID is sufficient to grant full access, bypassing intended isolation between users.

TL;DR

Actual Budget versions prior to 26.2.1 fail to verify file ownership on synchronization endpoints. Any authenticated user can read or overwrite another user's financial data by supplying the target's budget ID in API requests.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Vulnerability Type: Missing Authorization / IDOR
  • CVSS v3.1: 7.1 (High)
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated User)
  • Impact: Data Exfiltration & Integrity Loss

Affected Systems

  • Actual Budget Server (Multi-user configuration)
  • Actual: < 26.2.1 (Fixed in: 26.2.1)

Code Analysis

Commit: 9966c02

fix: verify file ownership in sync endpoints

function requireFileAccess(file, userId) {
+  if (file.owner === userId) return null;
+  return 'file-access-not-allowed';
}
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Implement object-level authorization checks (BOLA) for all resource access.
  • Restrict instance to single-user mode until patched.
  • Audit database for files with missing ownership information.

Remediation Steps:

  1. Stop the running Actual server instance.
  2. Pull the latest docker image or update the source to version 26.2.1.
  3. Restart the server to apply the application update and trigger database migrations.
  4. Verify that the files table in the database has valid owner IDs for all entries.

References

Read the full report for CVE-2026-27638 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)