PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59709 Ghostfolio CVE debrief

CVE-2026-59709 debrief: The CVE record was published on 2026-07-07T15:16:49.430Z and has not been modified since then. The NVD entry is currently Received. This vulnerability affects Ghostfolio's portfolio management functionality, specifically the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, which fails to verify the Access.permissions field when processing the Impersonation-Id header. This allows read-only access grantees to modify portfolio holding tags, potentially corrupting portfolio categorization and reports.

Vendor
Ghostfolio
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Ghostfolio with read-only access grants should verify their portfolio holding tags for unauthorized modifications. Additionally, administrators and security teams responsible for managing Ghostfolio deployments should review and restrict access to portfolio holding tags to prevent potential data corruption.

Technical summary

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. This could lead to unauthorized changes to portfolio holding tags, affecting the accuracy of portfolio reports and categorization. The vulnerability has a CVSS score of 5.3 and is considered Medium severity. Users with read-only access grants should verify their portfolio holding tags for unauthorized modifications. Administrators and security teams should review and restrict access to portfolio holding tags to prevent potential data corruption. Evidence is limited; further verification required through inventory checks and vendor remediation.

Defensive priority

Medium priority due to CVSS score of 5.3 and potential for data corruption.

Recommended defensive actions

  • Verify and restrict access to portfolio holding tags
  • Implement proper permission checks for Impersonation-Id header
  • Monitor portfolio holding tags for unauthorized changes
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

Evidence is limited; further verification required through inventory checks and vendor remediation. Additional verification tasks include reviewing system logs for suspicious activity, checking for unauthorized changes to portfolio holding tags, and validating the integrity of portfolio data.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T15:16:49.430Z and has not been modified since then.