CVE-2026-50007: CWE-862: Missing Authorization in actualbudget actual
Actual, an open-source personal finance application, has a missing authorization vulnerability prior to version 26.7.0. This flaw allows a shared user with user_access on a budget file to perform actions reserved for the file owner, such as deleting or resetting user files and creating user keys. The issue arises because the application treats ordinary shared access as sufficient for file-management operations that should require owner or administrator privileges. The vulnerability is fixed in version 26.7.0.
AI Analysis
Technical Summary
CVE-2026-50007 is a missing authorization vulnerability (CWE-862) in Actual (actualbudget) versions prior to 26.7.0. A non-owner shared user with user_access privileges can invoke file-management endpoints (/delete-user-file, /reset-user-file, /user-create-key) that are intended only for the file owner or administrators. This occurs because the requireFileAccess function incorrectly grants access based on ordinary shared access rather than stricter owner-level permissions. The vulnerability allows unauthorized modification or deletion of budget files by shared users. The issue is resolved in Actual version 26.7.0.
Potential Impact
Unauthorized shared users can perform owner-only file management actions, potentially leading to unauthorized deletion, resetting, or key creation on budget files. This compromises the integrity and control of personal finance data within the application. The vulnerability has a CVSS 4.0 score of 7.2 (high severity), indicating significant risk if exploited.
Mitigation Recommendations
Upgrade to Actual version 26.7.0 or later, where this missing authorization issue is fixed. No other mitigation is indicated. Patch status is confirmed by the vendor advisory stating the issue is resolved in 26.7.0.
CVE-2026-50007: CWE-862: Missing Authorization in actualbudget actual
Description
Actual, an open-source personal finance application, has a missing authorization vulnerability prior to version 26.7.0. This flaw allows a shared user with user_access on a budget file to perform actions reserved for the file owner, such as deleting or resetting user files and creating user keys. The issue arises because the application treats ordinary shared access as sufficient for file-management operations that should require owner or administrator privileges. The vulnerability is fixed in version 26.7.0.
CVSS v4.0
Score 7.2high
Affected software
pkg:github/actualbudget/actualRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-50007 is a missing authorization vulnerability (CWE-862) in Actual (actualbudget) versions prior to 26.7.0. A non-owner shared user with user_access privileges can invoke file-management endpoints (/delete-user-file, /reset-user-file, /user-create-key) that are intended only for the file owner or administrators. This occurs because the requireFileAccess function incorrectly grants access based on ordinary shared access rather than stricter owner-level permissions. The vulnerability allows unauthorized modification or deletion of budget files by shared users. The issue is resolved in Actual version 26.7.0.
Potential Impact
Unauthorized shared users can perform owner-only file management actions, potentially leading to unauthorized deletion, resetting, or key creation on budget files. This compromises the integrity and control of personal finance data within the application. The vulnerability has a CVSS 4.0 score of 7.2 (high severity), indicating significant risk if exploited.
Mitigation Recommendations
Upgrade to Actual version 26.7.0 or later, where this missing authorization issue is fixed. No other mitigation is indicated. Patch status is confirmed by the vendor advisory stating the issue is resolved in 26.7.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-02T22:46:02.578Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4d6893c9d9e3dbe3d54572
Added to database: 07/07/2026, 20:58:59 UTC
Last enriched: 07/07/2026, 21:13:28 UTC
Last updated: 07/07/2026, 21:59:06 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.