Platform
nodejs
Component
@actual-app/sync-server
Fixed in
26.2.2
26.2.1
CVE-2026-27584 is a critical vulnerability affecting the ActualBudget Sync Server component. This vulnerability stems from a missing authentication middleware, enabling unauthenticated users to query integration endpoints and access sensitive financial data. The issue impacts users utilizing the SimpleFIN and Pluggy.ai integrations and requires the ActualBudget Server instance to be accessible over the network. Upgrade to version 26.2.1 to resolve this issue.
The primary impact of CVE-2026-27584 is the unauthorized exposure of sensitive bank account balance and transaction history data. An attacker, without any authentication, can directly query the SimpleFIN and Pluggy.ai integration endpoints within the ActualBudget Sync Server. This allows them to retrieve detailed financial information belonging to ActualBudget users. The blast radius extends to all users who have configured either of these integrations, making a significant portion of the user base potentially at risk. The lack of authentication makes this vulnerability particularly concerning, as it requires minimal effort to exploit.
CVE-2026-27584 was publicly disclosed on 2026-02-24. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the simplicity of the vulnerability suggests that it is likely to be exploited once a PoC is released. The CVSS score of 9.5 (CRITICAL) reflects the high severity and ease of exploitation.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
The definitive mitigation for CVE-2026-27584 is to upgrade the ActualBudget Sync Server component to version 26.2.1 or later. Prior to upgrading, it's crucial to back up the server configuration and database to ensure data integrity in case of unforeseen issues. While upgrading, carefully review the release notes for any breaking changes that might require adjustments to the application's configuration or dependencies. There are no immediate WAF or proxy rules that can fully mitigate this vulnerability without upgrading, as the issue lies within the application's authentication logic. After upgrading to version 26.2.1, verify the fix by attempting to access the SimpleFIN and Pluggy.ai endpoints without authentication; requests should be denied.
Actualice ActualBudget Server a la versión 26.2.1 o superior. Esta versión corrige la falta de autenticación en los endpoints de SimpleFIN y Pluggy.ai. Asegúrese de que la instancia de ActualBudget Server no sea accesible públicamente hasta que se haya actualizado.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27584 is a critical vulnerability in ActualBudget Sync Server that allows unauthenticated users to access sensitive bank data through SimpleFIN and Pluggy.ai integrations due to a missing authentication check.
You are affected if you use ActualBudget Sync Server and have the SimpleFIN or Pluggy.ai integrations enabled, and are running a version prior to 26.2.1.
Upgrade ActualBudget Sync Server to version 26.2.1 or later to mitigate the vulnerability. Back up your server before upgrading.
There is currently no confirmed active exploitation, but the vulnerability's simplicity suggests it may be exploited in the future.
Refer to the official ActualBudget security advisory for detailed information and updates regarding CVE-2026-27584.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.