CVE-2026-59708
Received Received - Intake

Unauthenticated Portfolio Data Exposure in Ghostfolio

Vulnerability report for CVE-2026-59708, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ghostfolio ghostfolio to 3.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive portfolio data including holdings, quantities, buy prices, and performance metrics without proper authorization.

Such unauthorized exposure of personal financial information can lead to non-compliance with data protection regulations like GDPR, which mandates strict controls on personal data access and processing.

Similarly, if the data includes health-related financial information or is used in contexts covered by HIPAA, this exposure could violate confidentiality requirements.

Overall, the lack of proper access control and authentication in this endpoint risks violating privacy and security requirements common to these standards.

Executive Summary

The vulnerability exists in the Ghostfolio software's GET /api/v1/public/:accessId/portfolio endpoint. This endpoint is intended to provide portfolio data based on an access ID. However, it fails to properly validate the granteeUserId filter when handling private access IDs.

Because of this missing validation, an unauthenticated attacker who knows a valid private access ID can retrieve the full portfolio data of another user without any authentication or authorization checks.

The exposed data includes sensitive financial information such as holdings, quantities, buy prices, and performance metrics.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive financial information. An attacker with knowledge of a private access ID can access full portfolio details without authentication.

  • Exposure of holdings and asset quantities.
  • Disclosure of buy prices and investment performance metrics.

Such exposure can compromise user privacy, lead to financial information leakage, and potentially enable further targeted attacks or fraud.

Detection Guidance

This vulnerability can be detected by attempting to access the GET /api/v1/public/:accessId/portfolio endpoint with a private access ID without authentication and observing if full portfolio data is returned.

A simple detection method is to use curl or similar HTTP client tools to send a GET request to the endpoint with a known or guessed private access ID and check if sensitive portfolio information such as holdings, quantities, buy prices, and performance metrics are returned.

  • curl -v https://<ghostfolio-server>/api/v1/public/<private-access-id>/portfolio
  • Check the response for sensitive portfolio data without any authentication headers.
Mitigation Strategies

Immediate mitigation involves updating Ghostfolio to a version that includes the fix for this vulnerability, which enforces proper authorization checks on the GET /api/v1/public/:accessId/portfolio endpoint.

The fix modifies the access query in the public controller to include a granteeUserId: null filter, ensuring that private portfolios cannot be accessed without proper authorization.

If an immediate update is not possible, restrict access to the vulnerable endpoint by network controls or disable public portfolio sharing temporarily.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart