CVE-2026-59708 in Ghostfolio
Summary
by MITRE • 07/07/2026
The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
This vulnerability resides in the ghostfolio application's API endpoint design where the /api/v1/public/:accessId/portfolio route fails to properly validate access controls despite being marked as public. The flaw stems from improper granteeUserId filtering validation that allows attackers to bypass authentication mechanisms by simply knowing a valid private access ID. The technical implementation lacks proper authorization checks that should verify whether the requesting entity has legitimate rights to access the portfolio data associated with the provided access ID. This represents a classic case of insufficient authorization controls where the system assumes that possession of an access ID grants full access regardless of user authentication status.
The operational impact of this vulnerability is significant as it enables unauthorized data exfiltration of sensitive financial information including detailed holdings, quantities, purchase prices, and performance metrics for any portfolio accessible via a valid private access ID. Attackers can exploit this weakness to gain comprehensive insights into investment strategies, asset allocation decisions, and trading activities without requiring legitimate credentials or user accounts. This creates a substantial risk for users whose portfolios contain confidential investment information that could be leveraged for financial fraud, market manipulation, or competitive intelligence gathering.
From a cybersecurity perspective, this vulnerability aligns with CWE-285 (Improper Authorization) and represents a privilege escalation issue where unauthorized access is granted through flawed access control validation. The flaw also maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) as it allows attackers to leverage valid but potentially misconfigured access identifiers to gain unauthorized access. The vulnerability demonstrates poor defense-in-depth principles where multiple security controls should have been implemented including proper authentication verification, session management, and access control enforcement.
Mitigation strategies should focus on implementing robust authorization checks that verify granteeUserId against the authenticated user context before granting access to portfolio data. The system must enforce proper session validation and ensure that access IDs cannot be used as substitutes for legitimate authentication tokens. Additional measures include implementing rate limiting to prevent automated enumeration attacks, adding logging mechanisms to detect suspicious access patterns, and ensuring that private access IDs are properly scoped to specific users or sessions. Security teams should also consider implementing multi-factor authentication requirements for access ID generation and regularly audit access control configurations to prevent similar issues in the future.