Authorization Flaw in Actual Personal Finance Application
CVE-2026-50007
7.2HIGH
What is CVE-2026-50007?
A significant authorization flaw exists in the Actual personal finance application prior to version 26.7.0. Due to improper access controls, a shared user with permissions on a budget file can execute file-management actions intended solely for file owners or administrators. This vulnerability permits non-owner users to invoke sensitive endpoints such as /delete-user-file, /reset-user-file, and /user-create-key, thereby compromising the integrity and confidentiality of the user's financial data. The issue has been addressed in version 26.7.0.
Affected Version(s)
actual < 26.7.0
