Unauthorized Access in Ghostfolio's Portfolio Management API
CVE-2026-59709
5.3MEDIUM
What is CVE-2026-59709?
Ghostfolio's API has a critical flaw in its PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, which does not adequately validate the Access.permissions field. This oversight allows attackers with valid read-only share tokens to manipulate portfolio holding tags. As a result, unauthorized users can assign or remove tags, leading to corrupt portfolio categorization and erroneous reporting for affected users. This vulnerability poses significant risks to the integrity of financial data and user trust.
Affected Version(s)
Ghostfolio 0 <= 3.6.0
Ghostfolio 0 < 697ef59
