Vendor
An authorization bypass vulnerability (CVE-2026-59708) in Ghostfolio's GET /api/v1/public/:accessId/portfolio endpoint allows unauthenticated attackers with a private access ID to retrieve sensitive financial portfolio data, including holdings and performance metrics, due to missing `granteeUserId` filtering validation.