CVE-2026-27638 is a missing authorization vulnerability (CWE-862) in the Actual personal finance application, specifically affecting versions prior to 26.2.1 when operating in multi-user mode with OpenID authentication. The vulnerability exists in the sync API endpoints under the path `/sync/*`, which fail to verify whether the authenticated user owns or has permission to access the budget file identified by the provided file ID. Consequently, any authenticated user can supply arbitrary file IDs and gain unauthorized read, write, and overwrite access to other users' budget files. This flaw compromises the confidentiality and integrity of sensitive financial data stored within Actual. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity and no privileges beyond authentication. The CVSS 4.0 base score is 5.7 (medium severity), reflecting network attack vector, low complexity, no privileges required beyond authentication, no user interaction, and high impact on integrity and confidentiality. The vendor addressed this issue in version 26.2.1 by implementing proper authorization checks on the sync API endpoints to ensure users can only access their own files. No known exploits are reported in the wild as of the publication date. This vulnerability highlights the critical importance of enforcing strict authorization controls in multi-user applications, especially those handling sensitive personal financial data.

The vulnerability allows any authenticated user to access and manipulate other users' budget files, leading to significant confidentiality and integrity breaches. Sensitive financial data could be exposed, altered, or destroyed, undermining user trust and potentially causing financial harm or privacy violations. For organizations using Actual in multi-user environments, this could result in data leakage, unauthorized data modification, and compliance violations related to data protection regulations. The ability to overwrite files also raises the risk of data loss or corruption, impacting availability indirectly. Since exploitation requires only authentication, insider threats or compromised accounts can easily leverage this flaw. The medium severity score reflects the balance between the need for authentication and the high impact on data integrity and confidentiality. Organizations relying on Actual for financial management must consider the risk of unauthorized data access and potential reputational damage if exploited.

1. Upgrade all Actual installations to version 26.2.1 or later immediately to apply the vendor's patch that enforces proper authorization checks on sync API endpoints. 2. Review and restrict user authentication mechanisms to minimize the risk of compromised credentials, including enforcing strong authentication policies and monitoring for suspicious login activity. 3. Implement network segmentation and access controls to limit exposure of the Actual sync API endpoints to trusted users only. 4. Conduct thorough audits of user permissions and file access logs to detect any unauthorized access or modifications. 5. If upgrading immediately is not feasible, consider disabling multi-user mode or restricting sync API access until patched. 6. Educate users about the importance of safeguarding their authentication credentials to reduce insider threat risks. 7. Integrate anomaly detection tools to identify unusual file access patterns indicative of exploitation attempts. 8. Regularly back up budget files to enable recovery in case of data corruption or overwriting.