Actual Local-First Personal Finance Tool Cross-User File Access Vulnerability

A vulnerability in the Actual personal finance tool, prior to version 26.2.1, allows authenticated users to access, modify, and overwrite other users' budget files in multi-user mode (OpenID). The sync API endpoints do not verify file ownership or access rights, enabling any user to manipulate files by providing the corresponding file ID. This issue has been patched in version 26.2.1.

Impact

Exploitation of this vulnerability allows for unauthorized access to, and modification of, other users' budget files, including sensitive financial data such as transactions and account balances. Additionally, it permits tampering with encryption keys associated with these files.

Reproduction

To reproduce this vulnerability, authenticate as one user (e.g., Bob) and use the sync API endpoints to access and modify another user's (e.g., Alice's) budget files. This can be done by sending requests to the sync endpoints with Alice's file ID, while using Bob's session token for authentication. Actions can include downloading Alice's file, renaming it, or resetting its sync state, all of which demonstrate unauthorized access and modification.

Remediation

Users can update to Actual version 26.2.1 or later, where this vulnerability has been fixed.