Local-First Personal Finance Tool Vulnerability in Actual Budget Server by Actual
CVE-2026-27584

9.2CRITICAL

Key Information:

Vendor: Actualbudget
Status: Actual
Vendor: CVE Published:; 24 February 2026

🔔 Create Actualbudget Vulnerability Alert

What is CVE-2026-27584?

The Actual Budget Server prior to version 26.2.1 is susceptible to a significant security issue where the lack of proper authentication middleware enables any unauthorized user to access sensitive integration endpoints. Specifically, this flaw allows attackers to retrieve sensitive bank account information, including balances and transaction history, impacting users who have SimpleFIN or Pluggy.ai integrations configured. To mitigate this issue, it is crucial for users to upgrade to version 26.2.1 or later and ensure that their server instance is not publicly accessible.

Affected Version(s)

actual < 26.2.1

References

https://github.com/actualbudget/actual/security/advisorie...

x_refsource_CONFIRM

https://github.com/actualbudget/actual/commit/ea937d10095...

x_refsource_MISC

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27584 Data

JSON