PatchSiren cyber security CVE debrief
CVE-2026-59709 Ghostfolio CVE debrief
CVE-2026-59709 debrief: The CVE record was published on 2026-07-07T15:16:49.430Z and has not been modified since then. The NVD entry is currently Received. This vulnerability affects Ghostfolio's portfolio management functionality, specifically the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint, which fails to verify the Access.permissions field when processing the Impersonation-Id header. This allows read-only access grantees to modify portfolio holding tags, potentially corrupting portfolio categorization and reports.
- Vendor
- Ghostfolio
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Ghostfolio with read-only access grants should verify their portfolio holding tags for unauthorized modifications. Additionally, administrators and security teams responsible for managing Ghostfolio deployments should review and restrict access to portfolio holding tags to prevent potential data corruption.
Technical summary
Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. This could lead to unauthorized changes to portfolio holding tags, affecting the accuracy of portfolio reports and categorization. The vulnerability has a CVSS score of 5.3 and is considered Medium severity. Users with read-only access grants should verify their portfolio holding tags for unauthorized modifications. Administrators and security teams should review and restrict access to portfolio holding tags to prevent potential data corruption. Evidence is limited; further verification required through inventory checks and vendor remediation.
Defensive priority
Medium priority due to CVSS score of 5.3 and potential for data corruption.
Recommended defensive actions
- Verify and restrict access to portfolio holding tags
- Implement proper permission checks for Impersonation-Id header
- Monitor portfolio holding tags for unauthorized changes
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
Evidence is limited; further verification required through inventory checks and vendor remediation. Additional verification tasks include reviewing system logs for suspicious activity, checking for unauthorized changes to portfolio holding tags, and validating the integrity of portfolio data.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T15:16:49.430Z and has not been modified since then.