Plateforme
nodejs
Composant
@actual-app/sync-server
Corrigé dans
26.2.2
26.2.1
CVE-2026-27584 is a critical vulnerability affecting the ActualBudget Sync Server component. This vulnerability stems from a missing authentication middleware, enabling unauthenticated users to query integration endpoints and access sensitive financial data. The issue impacts users utilizing the SimpleFIN and Pluggy.ai integrations and requires the ActualBudget Server instance to be accessible over the network. Upgrade to version 26.2.1 to resolve this issue.
The primary impact of CVE-2026-27584 is the unauthorized exposure of sensitive bank account balance and transaction history data. An attacker, without any authentication, can directly query the SimpleFIN and Pluggy.ai integration endpoints within the ActualBudget Sync Server. This allows them to retrieve detailed financial information belonging to ActualBudget users. The blast radius extends to all users who have configured either of these integrations, making a significant portion of the user base potentially at risk. The lack of authentication makes this vulnerability particularly concerning, as it requires minimal effort to exploit.
CVE-2026-27584 was publicly disclosed on 2026-02-24. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the simplicity of the vulnerability suggests that it is likely to be exploited once a PoC is released. The CVSS score of 9.5 (CRITICAL) reflects the high severity and ease of exploitation.
Users of ActualBudget who have integrated SimpleFIN or Pluggy.ai are directly at risk. This includes individuals and businesses relying on these integrations for financial data synchronization. Specifically, those running older versions of the ActualBudget Sync Server are vulnerable, particularly those with publicly accessible server instances.
• nodejs / server:
curl -I http://<actualbudget_server>/simplefin/balance
curl -I http://<actualbudget_server>/pluggyai/transactions• generic web:
curl -I http://<actualbudget_server>/simplefin/balance
curl -I http://<actualbudget_server>/pluggyai/transactions• generic web:
grep -r "/simplefin/balance" /var/log/nginx/access.log
grep -r "/pluggyai/transactions" /var/log/nginx/access.logdisclosure
Statut de l'Exploit
EPSS
0.11% (percentile 29%)
CISA SSVC
The definitive mitigation for CVE-2026-27584 is to upgrade the ActualBudget Sync Server component to version 26.2.1 or later. Prior to upgrading, it's crucial to back up the server configuration and database to ensure data integrity in case of unforeseen issues. While upgrading, carefully review the release notes for any breaking changes that might require adjustments to the application's configuration or dependencies. There are no immediate WAF or proxy rules that can fully mitigate this vulnerability without upgrading, as the issue lies within the application's authentication logic. After upgrading to version 26.2.1, verify the fix by attempting to access the SimpleFIN and Pluggy.ai endpoints without authentication; requests should be denied.
Actualisez ActualBudget Server à la version 26.2.1 ou supérieure. Cette version corrige le manque d'authentification dans les points de terminaison SimpleFIN et Pluggy.ai. Assurez-vous que l'instance du serveur ActualBudget n'est pas accessible publiquement jusqu'à ce qu'elle ait été actualisée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-27584 is a critical vulnerability in ActualBudget Sync Server that allows unauthenticated users to access sensitive bank data through SimpleFIN and Pluggy.ai integrations due to a missing authentication check.
You are affected if you use ActualBudget Sync Server and have the SimpleFIN or Pluggy.ai integrations enabled, and are running a version prior to 26.2.1.
Upgrade ActualBudget Sync Server to version 26.2.1 or later to mitigate the vulnerability. Back up your server before upgrading.
There is currently no confirmed active exploitation, but the vulnerability's simplicity suggests it may be exploited in the future.
Refer to the official ActualBudget security advisory for detailed information and updates regarding CVE-2026-27584.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.