Executive Summary

CVE-2026-27584 is a critical vulnerability in the ActualBudget server component prior to version 26.2.1. The issue is caused by missing authentication middleware on the SimpleFIN and Pluggy.ai integration endpoints, which allows any unauthenticated user with network access to query these endpoints.

Because of this missing authentication, an attacker can send requests to these endpoints and retrieve sensitive bank account balances and transaction histories of ActualBudget users without needing any privileges or user interaction.

The affected endpoints include POST requests to /simplefin/status, /simplefin/accounts, /simplefin/transactions, /pluggyai/status, /pluggyai/accounts, and /pluggyai/transactions. These endpoints are intended only for authenticated users to sync bank data.

This vulnerability is classified under CWE-306: Missing Authentication for Critical Function, meaning the product fails to enforce authentication on functions that require verified user identity.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have a severe impact on users of ActualBudget Server with SimpleFIN or Pluggy.ai integrations configured. An attacker can remotely and without authentication access sensitive financial information including bank account balances and detailed transaction histories.'}, {'type': 'paragraph', 'content': "The confidentiality of users' private financial data is compromised, which can lead to privacy violations, financial fraud, or identity theft."}, {'type': 'paragraph', 'content': 'There is no impact on data integrity or availability, but the exposure of sensitive data alone represents a high-severity risk.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting unauthenticated POST requests to the affected ActualBudget server endpoints related to SimpleFIN and Pluggy.ai integrations. If these endpoints respond without requiring authentication, the system is vulnerable.

• POST /simplefin/status - to check if the SimpleFIN integration is configured.
• POST /simplefin/accounts - to list bank accounts.
• POST /simplefin/transactions - to retrieve transaction data for specific account IDs.
• POST /pluggyai/status - to check if the Pluggy.ai integration is configured.
• POST /pluggyai/accounts - to list bank accounts.
• POST /pluggyai/transactions - to retrieve transaction data for specific account IDs.

Example commands using curl to test these endpoints without authentication could be:

• curl -X POST http://<actualbudget-server>/simplefin/status
• curl -X POST http://<actualbudget-server>/simplefin/accounts
• curl -X POST http://<actualbudget-server>/pluggyai/transactions

If these commands return sensitive data without authentication, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the ActualBudget server component to version 26.2.1 or later, where the vulnerability is fixed by adding proper authentication middleware to the affected endpoints.

This fix involves applying the `validateSessionMiddleware` to the SimpleFIN and Pluggy.ai API routes to enforce authenticated access.

Until the upgrade can be applied, restrict network access to the ActualBudget server to trusted users only, preventing unauthenticated external access to the vulnerable endpoints.

Useful 0 Not Useful 0