CVE-2026-59708: Ghostfolio Unauthenticated Portfolio Data Exposure
An authorization bypass vulnerability (CVE-2026-59708) in Ghostfolio's GET /api/v1/public/:accessId/portfolio endpoint allows unauthenticated attackers with a private access ID to retrieve sensitive financial portfolio data, including holdings and performance metrics, due to missing `granteeUserId` filtering validation.
A critical authorization bypass vulnerability, identified as CVE-2026-59708, has been discovered in the open-source personal finance dashboard, Ghostfolio. The flaw exists within the /api/v1/public/:accessId/portfolio API endpoint, which is intended to display public portfolios. However, the system fails to adequately validate granteeUserId filtering, meaning that if an attacker possesses a legitimate private accessId, they can bypass authentication entirely. This allows unauthenticated retrieval of comprehensive portfolio data, including holdings, quantities, buy prices, and performance metrics. This vulnerability impacts Ghostfolio versions up to and including 3.6.0. Organizations using Ghostfolio should prioritize patching to prevent sensitive financial information from being exposed.
Attack Chain
- An attacker obtains a valid
private access IDassociated with a Ghostfolio user's private portfolio, possibly through OSINT, prior data compromise, or other means. - The attacker crafts an unauthenticated HTTP GET request directed at the vulnerable endpoint:
/api/v1/public/:accessId/portfolio. - The attacker substitutes the obtained
private access IDinto the URL path of the GET request. - The Ghostfolio application receives and processes this unauthenticated request.
- Due to the
Missing Authorization(CWE-862) flaw, the application fails to perform propergranteeUserIdfiltering or authentication checks. - The application retrieves the full, sensitive portfolio data corresponding to the provided
accessIdfrom its backend. - The application responds to the attacker's unauthenticated request by returning all associated portfolio information, such as investment holdings, purchase prices, and performance data.
Impact
The successful exploitation of CVE-2026-59708 results in unauthorized access to highly sensitive financial information. Attackers can retrieve full portfolio details, including asset holdings, quantities, buy prices, and performance metrics, of any Ghostfolio user whose private accessId they possess. This exposure of detailed investment portfolios can lead to significant financial privacy breaches, enable targeted financial fraud, investment manipulation, or even facilitate advanced phishing campaigns. The vulnerability has a CVSS v3.1 base score of 7.5 (High), reflecting the severe confidentiality impact.
Recommendation
- Immediately patch Ghostfolio installations to a version that addresses CVE-2026-59708. Refer to the commit
https://github.com/ghostfolio/ghostfolio/commit/697ef59e3b58bebc5c21a9e482e4f5643390f316for the fix. - Review web application access logs for the
/api/v1/public/*/portfolioendpoint for any unusual or unauthenticated access patterns, focusing on requests returning sensitive data.