Unauthorized Access Vulnerability in Ghostfolio API
CVE-2026-59708
8.7HIGH
What is CVE-2026-59708?
The Ghostfolio API features a security flaw that permits attackers to access sensitive portfolio data using valid private access IDs without proper user authentication. Specifically, the GET /api/v1/public/:accessId/portfolio endpoint fails to validate the granteeUserId filtering, leading to unauthorized exposure of critical information. As a result, malicious actors can retrieve detailed portfolio holdings, including quantities, buy prices, and performance metrics, without any verification process in place.
Affected Version(s)
ghostfolio 0 <= 3.6.0
ghostfolio 0 <= 697ef59
