Actual Budget Missing Authentication Vulnerability in Bank Integration Endpoints Allowing Data Exposure
Vulnerability
A vulnerability in Actual Budget's server component, prior to version 26.2.1, allows unauthenticated users to access the SimpleFIN and Pluggy.ai integration endpoints. This oversight enables unauthorized individuals to read sensitive bank account balance and transaction information from Actual Budget users. The issue affects all users with SimpleFIN or Pluggy.ai integrations configured, and requires that the Actual Budget Server instance is reachable over the network.
Impact
Exploitation of this vulnerability allows unauthorized access to bank account balances and transaction histories of Actual Budget users, specifically those with SimpleFIN or Pluggy.ai integrations active.
Reproduction
The vulnerability can be reproduced by sending POST requests to the unprotected SimpleFIN or Pluggy.ai endpoints without authentication. Responses will include sensitive bank account information, such as balances and transaction details.
Remediation
Users can update to Actual Budget version 26.2.1 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.