CVE-2026-59709
Received Received - Intake

Ghostfolio PUT Endpoint Permission Bypass via Impersonation-Id Header

Vulnerability report for CVE-2026-59709, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ghostfolio ghostfolio to 3.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing attackers with read-only access to modify your portfolio holding tags without permission.

  • Unauthorized modification of portfolio tags.
  • Corruption of portfolio categorization.
  • Distortion of portfolio reports and filters.

Such unauthorized changes can lead to inaccurate investment insights and mismanagement of your portfolio data.

Executive Summary

The vulnerability in Ghostfolio affects the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint. It fails to properly verify the Access.permissions field when processing the Impersonation-Id header. This flaw allows users who only have read-only access to modify portfolio holding tags.

Attackers with valid read-only share tokens can exploit this vulnerability to assign or remove tags on another user's portfolio holdings. This unauthorized modification can corrupt portfolio categorization and reports.

Detection Guidance

This vulnerability involves unauthorized modification of portfolio holding tags via the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint when using the Impersonation-Id header without proper permission checks.

To detect exploitation attempts on your network or system, you can monitor HTTP PUT requests to the affected endpoint and check for the presence of the Impersonation-Id header in requests made by users with read-only access.

Suggested commands include using network traffic inspection tools or web server logs to filter for such requests. For example, using curl or similar tools to simulate or detect suspicious requests:

  • Check web server logs for PUT requests to the endpoint: grep 'PUT /api/v1/portfolio/holding/' /var/log/nginx/access.log
  • Filter requests containing the Impersonation-Id header: grep 'Impersonation-Id' /var/log/nginx/access.log
  • Use curl to test if a read-only token can modify tags (replace placeholders accordingly): curl -X PUT -H "Authorization: Bearer <read-only-token>" -H "Impersonation-Id: <id>" -d '{"tags": ["test"]}' https://<ghostfolio-host>/api/v1/portfolio/holding/<dataSource>/<symbol>/tags

Additionally, monitoring for unexpected changes in portfolio holding tags or reports may indicate exploitation.

Mitigation Strategies

Immediate mitigation steps include updating Ghostfolio to a version that contains the fix for this vulnerability.

The vulnerability has been fixed in commit 697ef59, which adds proper verification of the Access.permissions field when processing the Impersonation-Id header.

If updating immediately is not possible, consider restricting or disabling the use of the Impersonation-Id header or limiting read-only share tokens to prevent unauthorized tag modifications.

Also, review and monitor portfolio holding tags for unauthorized changes and revoke or rotate any read-only share tokens that may have been compromised.

Compliance Impact

The vulnerability allows users with read-only access to modify portfolio holding tags without proper authorization checks. This unauthorized modification can lead to corrupted portfolio categorization and reports.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized data modification and improper access control could potentially violate principles of data integrity and access management required by such regulations.

Therefore, this vulnerability may impact compliance by undermining data integrity and access control policies, which are critical components in many regulatory frameworks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59709. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart