Unauthorized Access Vulnerability in Ghostfolio API
CVE-2026-59708

8.7HIGH

Key Information:

Vendor

Ghostfolio

Vendor
CVE Published:
7 July 2026

What is CVE-2026-59708?

The Ghostfolio API features a security flaw that permits attackers to access sensitive portfolio data using valid private access IDs without proper user authentication. Specifically, the GET /api/v1/public/:accessId/portfolio endpoint fails to validate the granteeUserId filtering, leading to unauthorized exposure of critical information. As a result, malicious actors can retrieve detailed portfolio holdings, including quantities, buy prices, and performance metrics, without any verification process in place.

Affected Version(s)

ghostfolio 0 <= 3.6.0

ghostfolio 0 <= 697ef59

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.