AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-m2cq-xjgm-f668: ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

criticalvulnerability

security

Source: GitHub Advisory DatabaseFebruary 24, 2026CVE-2026-27584

Summary

ActualBudget server has a missing authentication vulnerability in its SimpleFIN and Pluggy.ai bank sync endpoints, allowing any unauthenticated attacker to access sensitive bank account balances and transaction history. The vulnerable endpoints (like POST /simplefin/accounts and POST /pluggyai/transactions) lack authentication middleware (code that verifies a user is logged in before allowing access), making this a critical issue for any ActualBudget server instance accessible over a network.

Solution / Mitigation

The source text shows that other integrations like GoCardless implement the fix by using `app.use(validateSessionMiddleware)` to add authentication middleware. This middleware must be added to the SimpleFIN and Pluggy.ai endpoint files (`/packages/sync-server/src/app-simplefin/app-simplefin.js` and `/packages/sync-server/src/app-pluggyai/app-pluggyai.js`) to require login before accessing the sensitive endpoints, similar to the example shown in `packages/sync-server/src/app-gocardless/app-gocardless.js`.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationTrivial

Affected Packages

@actual-app/sync-server@< 26.2.1 (fixed: 26.2.1)

Original source: https://github.com/advisories/GHSA-m2cq-xjgm-f668

First tracked: February 24, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 95%