Authorization Flaw in Actual Personal Finance Application
CVE-2026-50007

7.2HIGH

Key Information:

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-50007?

A significant authorization flaw exists in the Actual personal finance application prior to version 26.7.0. Due to improper access controls, a shared user with permissions on a budget file can execute file-management actions intended solely for file owners or administrators. This vulnerability permits non-owner users to invoke sensitive endpoints such as /delete-user-file, /reset-user-file, and /user-create-key, thereby compromising the integrity and confidentiality of the user's financial data. The issue has been addressed in version 26.7.0.

Affected Version(s)

actual < 26.7.0

References

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.