ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
Description
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@actual-app/sync-servernpm | < 26.2.1 | 26.2.1 |
Affected products
1- Range: < 26.2.1
Patches
1ea937d100956Require authentication for SimpleFIN and Pluggy.ai endpoints (#7034)
3 files changed · +18 −4
packages/sync-server/src/app-pluggyai/app-pluggyai.js+6 −2 modified@@ -2,14 +2,18 @@ import express from 'express'; import { handleError } from '../app-gocardless/util/handle-error'; import { SecretName, secretsService } from '../services/secrets-service'; -import { requestLoggerMiddleware } from '../util/middlewares'; +import { + requestLoggerMiddleware, + validateSessionMiddleware, +} from '../util/middlewares'; import { pluggyaiService } from './pluggyai-service'; const app = express(); export { app as handlers }; -app.use(express.json()); app.use(requestLoggerMiddleware); +app.use(express.json()); +app.use(validateSessionMiddleware); app.post( '/status',
packages/sync-server/src/app-simplefin/app-simplefin.js+6 −2 modified@@ -4,12 +4,16 @@ import express from 'express'; import { handleError } from '../app-gocardless/util/handle-error'; import { SecretName, secretsService } from '../services/secrets-service'; -import { requestLoggerMiddleware } from '../util/middlewares'; +import { + requestLoggerMiddleware, + validateSessionMiddleware, +} from '../util/middlewares'; const app = express(); export { app as handlers }; -app.use(express.json()); app.use(requestLoggerMiddleware); +app.use(express.json()); +app.use(validateSessionMiddleware); app.post( '/status',
upcoming-release-notes/7034.md+6 −0 added@@ -0,0 +1,6 @@ +--- +category: Bugfixes +authors: [MatissJanis] +--- + +Fix: simplefin and pluggy not requiring auth
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-m2cq-xjgm-f668ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27584ghsaADVISORY
- github.com/actualbudget/actual/commit/ea937d100956ca56689ff852d99c28589e2a7d88ghsax_refsource_MISCWEB
- github.com/actualbudget/actual/security/advisories/GHSA-m2cq-xjgm-f668ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.