CVE-2026-50007 in actual
Summary
by MITRE • 07/07/2026
Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users, including /delete-user-file, /reset-user-file, and /user-create-key, because requireFileAccess treats ordinary shared access as sufficient for file-management operations that should be restricted to the file owner or an administrator. This issue is fixed in version 26.7.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability identified in Actual's personal finance application represents a critical authorization flaw that undermines the application's security model for shared file access. This issue affects versions prior to 26.7.0 and demonstrates a classic privilege escalation vulnerability where unauthorized users can execute administrative operations typically restricted to file owners or administrators. The core problem lies in how the application validates user permissions for file management operations, creating a dangerous gap between intended access controls and actual implementation.
The technical flaw manifests through improper access control validation within the requireFileAccess function, which incorrectly treats standard shared user privileges as equivalent to owner-level permissions for specific file management endpoints. This misconfiguration allows a non-owner shared user to invoke three critical operations: /delete-user-file, /reset-user-file, and /user-create-key, all of which should be restricted to file owners or administrative users. The vulnerability stems from a lack of proper role-based access control implementation where the system fails to distinguish between different levels of file access permissions, effectively granting elevated privileges to users who should only have read-only or limited shared access.
The operational impact of this vulnerability extends beyond simple data exposure, as it enables potential destructive actions that could compromise entire financial datasets. A malicious or unauthorized shared user could delete critical budget files, reset user accounts, or create new cryptographic keys that would disrupt the application's functionality and potentially lead to complete loss of financial data for affected users. This authorization bypass creates a pathway for both accidental and intentional misuse of the application's core file management capabilities, undermining the trust model that personal finance applications must maintain to protect sensitive user information.
This vulnerability aligns with CWE-285, which addresses improper authorization in software systems, specifically highlighting insufficient access control mechanisms. The issue also maps to ATT&CK technique T1078.004, which covers legitimate credentials and the abuse of shared accounts, as it allows unauthorized users to leverage shared access privileges to escalate their capabilities within the application. Organizations using Actual prior to version 26.7.0 should immediately implement compensating controls such as monitoring for unusual file management activity, restricting shared user access where possible, and ensuring all users are properly educated about the security implications of shared file access. The fix implemented in version 26.7.0 demonstrates proper access control implementation by correctly enforcing privilege boundaries between shared users and file owners, reinforcing the principle of least privilege that is fundamental to secure application design in financial software environments.