๐Ÿ” CVE Alert

CVE-2026-50007

UNKNOWN 0.0

Actual: Shared users can perform owner-only file management actions

CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
16th

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users, including /delete-user-file, /reset-user-file, and /user-create-key, because requireFileAccess treats ordinary shared access as sufficient for file-management operations that should be restricted to the file owner or an administrator. This issue is fixed in version 26.7.0.

CWE CWE-862
Vendor actualbudget
Product actual
Published Jul 7, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for actualbudget actual

Be the first to know when new unknown vulnerabilities affecting actualbudget actual are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

actualbudget / actual
< 26.7.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/actualbudget/actual/security/advisories/GHSA-23vm-ffgg-qvjr github.com: https://github.com/actualbudget/actual/pull/7977 github.com: https://github.com/actualbudget/actual/pull/8333 github.com: https://github.com/actualbudget/actual/commit/18a8dc03c48eeb2e8252669a80673e6a9933b5fd github.com: https://github.com/actualbudget/actual/commit/3b9e79ed5ee795a80bbae214d6ebb2755289d7f2