CVE-2026-27638 is a vulnerability identified in Actual, a personal finance application that operates in a local-first mode but supports multi-user synchronization via OpenID. In versions prior to 26.2.1, the sync API endpoints under the path `/sync/*` lack proper authorization checks to verify that the authenticated user owns or has permission to access the budget files they attempt to operate on. This missing authorization (CWE-862) allows any authenticated user to read, modify, or overwrite any other user's budget files by simply providing the target file's ID. The vulnerability arises because the API trusts the authentication state but fails to enforce access control on resource ownership. Exploitation requires only authenticated access with low complexity and no user interaction, and it can be performed remotely over the network. The flaw impacts the confidentiality and integrity of user financial data, potentially exposing sensitive budget information and enabling malicious alteration of financial records. The vendor addressed this issue in version 26.2.1 by implementing proper authorization checks on the sync endpoints to ensure users can only access their own files. No known exploits are reported in the wild as of the publication date. The CVSS v4.0 base score is 5.7, reflecting medium severity due to the moderate impact and ease of exploitation without privileges beyond authentication.

The vulnerability allows unauthorized access and modification of sensitive personal financial data, which can lead to privacy breaches and loss of data integrity. For organizations or individuals relying on Actual for financial management, this could result in exposure of confidential budget information, manipulation of financial records, and potential financial fraud or identity theft. Since the flaw affects multi-user mode with OpenID authentication, environments where multiple users share the same Actual deployment or cloud sync service are at risk. The impact extends to trust erosion in the application and potential regulatory compliance issues related to data protection. Although availability is not affected, the compromise of confidentiality and integrity can have serious consequences for users' financial security and organizational risk posture.

The primary mitigation is to upgrade Actual to version 26.2.1 or later, where the authorization checks on sync API endpoints are properly enforced. Organizations should audit their Actual deployments to identify any instances running vulnerable versions and prioritize patching. Additionally, administrators should review user access controls and monitor API usage logs for suspicious activity indicating unauthorized file access attempts. Implementing network segmentation and restricting access to the sync API endpoints to trusted users can reduce exposure. Where possible, enforce multi-factor authentication for OpenID accounts to reduce the risk of compromised credentials being used to exploit this vulnerability. Finally, educating users about the importance of software updates and monitoring for unusual financial data changes can help detect exploitation attempts early.