Unauthorized Access in Ghostfolio's Portfolio Management API
CVE-2026-59709

5.3MEDIUM

Key Information:

Vendor

Ghostfolio

Vendor
CVE Published:
7 July 2026

What is CVE-2026-59709?

Ghostfolio's API has a critical flaw in its PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, which does not adequately validate the Access.permissions field. This oversight allows attackers with valid read-only share tokens to manipulate portfolio holding tags. As a result, unauthorized users can assign or remove tags, leading to corrupt portfolio categorization and erroneous reporting for affected users. This vulnerability poses significant risks to the integrity of financial data and user trust.

Affected Version(s)

Ghostfolio 0 <= 3.6.0

Ghostfolio 0 < 697ef59

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.