CVE-2026-59709
Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check
CVSS Score
4.3
EPSS Score
0.2%
EPSS Percentile
10th
Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.
| CWE | CWE-862 |
| Vendor | ghostfolio |
| Product | ghostfolio |
| Published | Jul 7, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for ghostfolio ghostfolio
Be the first to know when new medium vulnerabilities affecting ghostfolio ghostfolio are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
Ghostfolio / Ghostfolio
0 โค 3.6.0
References
github.com: https://github.com/ghostfolio/ghostfolio/issues/7196 github.com: https://github.com/ghostfolio/ghostfolio github.com: https://github.com/ghostfolio/ghostfolio/commit/697ef59e3b58bebc5c21a9e482e4f5643390f316 vulncheck.com: https://www.vulncheck.com/advisories/ghostfolio-unauthorized-portfolio-holding-tag-modification-via-missing-permission-check
Credits
๐ George Chen