4 matches found
GHSA-M2CQ-XJGM-F668 ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
Summary Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. Impact This vulnerability allows an unauthenticated attack...
CVE-2026-27584 ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction...
CVE-2026-27584
ActualBudget Server is affected by CVE-2026-27584 due to missing authentication middleware in the server component, allowing unauthenticated access to SimpleFIN and Pluggy.ai integration endpoints. An attacker can read bank account balances and transaction histories for users configured with thes...
PT-2026-21761
Name of the Vulnerable Software and Affected Versions ActualBudget versions prior to 26.2.1 Description A missing authentication check in the ActualBudget server component allows unauthenticated users to access the SimpleFIN and Pluggy.ai integration endpoints. This allows an attacker to read...