CVE-2026-23844
Insecure Direct Object Reference in Whisper Money Allows Account Manipulation
Publication date: 2026-01-19
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| whisper_money | whisper_money | to 0.1.5 (exc) |
| whisper_money | whisper_money | 0.1.5 |
| whisper.money | whisper_money | to 0.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-488 | The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in the Whisper Money application versions prior to 0.1.5. It allows an authenticated user to update or create account balances in other users' bank accounts by bypassing proper ownership validation. Essentially, the application did not properly check if the user making the request actually owned the account they were trying to modify, enabling unauthorized access and manipulation of other users' financial data. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to alter your bank account balances within the Whisper Money application. This compromises the integrity and authorization controls of your financial data, potentially leading to incorrect account balances, financial loss, or unauthorized financial actions performed on your behalf. [2, 1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to update or create account balances on bank accounts that do not belong to the authenticated user, specifically targeting the "sync/balances" endpoint. Since the issue is an Insecure Direct Object Reference (IDOR), you can test by sending HTTP requests with account IDs of other users and observing if the system allows unauthorized modifications. For example, using curl commands to send POST or PUT requests to the endpoint with different account IDs and checking for unauthorized success responses or forbidden errors can help detect the vulnerability. Specific commands are not provided in the resources, but the approach involves testing authorization enforcement on resource access. [2, 1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Whisper Money application to version 0.1.5 or later, where the vulnerability has been fixed. The fix enforces user ownership checks on all resource accesses and modifications by validating that referenced entities (accounts, categories, labels) belong to the authenticated user. This prevents unauthorized users from updating or creating account balances on other users' bank accounts. If upgrading is not immediately possible, implementing strict authorization checks on the "sync/balances" endpoint to ensure users can only modify their own data is critical. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized users to update or create account balances in other users' bank accounts, it potentially compromises data integrity and confidentiality, which are critical aspects of compliance with data protection regulations. The fix enforces strict ownership validation to prevent unauthorized access, which would help in maintaining compliance by protecting user data from unauthorized modification. [1, 2]