PatchSiren cyber security CVE debrief
CVE-2026-50007 actualbudget CVE debrief
CVE-2026-50007 is a high-severity vulnerability in the Actual open-source personal finance application. Prior to version 26.7.0, a missing authorization issue allows a shared user with user_access on a budget file to perform owner-only file management actions. This issue is fixed in version 26.7.0. The vulnerability exists due to a missing authorization check in the requireFileAccess function, which treats ordinary shared access as sufficient for file-management operations that should be restricted to the file owner or an administrator.
- Vendor
- actualbudget
- Product
- actual
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of the Actual open-source personal finance application, particularly those who have shared access to budget files, should be aware of this vulnerability and ensure they are using version 26.7.0 or later to prevent unauthorized file management actions. Affected operators, platform administrators, vulnerability management teams, and security teams should review and act on this vulnerability.
Technical summary
The vulnerability exists due to a missing authorization check in the requireFileAccess function, which treats ordinary shared access as sufficient for file-management operations that should be restricted to the file owner or an administrator. This allows a non-owner shared user to call file-management endpoints intended for higher-privilege users, including /delete-user-file, /reset-user-file, and /user-create-key. The issue is fixed in version 26.7.0.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 26.7.0 or later of the Actual open-source personal finance application
- Review and restrict shared access to budget files
- Monitor file management actions for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-07T21:17:25.977Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that the vulnerability affects Actual open-source personal finance application versions prior to 26.7.0. Defenders should verify affected scope and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:25.977Z and has not been modified since then.