{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/ghostfolio/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-59708"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ghostfolio \u003c= 3.6.0"],"_cs_severities":["high"],"_cs_tags":["vulnerability","api","authorization-bypass","data-exposure","webserver"],"_cs_type":"advisory","_cs_vendors":["ghostfolio"],"content_html":"\u003cp\u003eA critical authorization bypass vulnerability, identified as CVE-2026-59708, has been discovered in the open-source personal finance dashboard, Ghostfolio. The flaw exists within the \u003ccode\u003e/api/v1/public/:accessId/portfolio\u003c/code\u003e API endpoint, which is intended to display public portfolios. However, the system fails to adequately validate \u003ccode\u003egranteeUserId\u003c/code\u003e filtering, meaning that if an attacker possesses a legitimate private \u003ccode\u003eaccessId\u003c/code\u003e, they can bypass authentication entirely. This allows unauthenticated retrieval of comprehensive portfolio data, including holdings, quantities, buy prices, and performance metrics. This vulnerability impacts Ghostfolio versions up to and including 3.6.0. Organizations using Ghostfolio should prioritize patching to prevent sensitive financial information from being exposed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a valid \u003ccode\u003eprivate access ID\u003c/code\u003e associated with a Ghostfolio user's private portfolio, possibly through OSINT, prior data compromise, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an unauthenticated HTTP GET request directed at the vulnerable endpoint: \u003ccode\u003e/api/v1/public/:accessId/portfolio\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker substitutes the obtained \u003ccode\u003eprivate access ID\u003c/code\u003e into the URL path of the GET request.\u003c/li\u003e\n\u003cli\u003eThe Ghostfolio application receives and processes this unauthenticated request.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003eMissing Authorization\u003c/code\u003e (CWE-862) flaw, the application fails to perform proper \u003ccode\u003egranteeUserId\u003c/code\u003e filtering or authentication checks.\u003c/li\u003e\n\u003cli\u003eThe application retrieves the full, sensitive portfolio data corresponding to the provided \u003ccode\u003eaccessId\u003c/code\u003e from its backend.\u003c/li\u003e\n\u003cli\u003eThe application responds to the attacker's unauthenticated request by returning all associated portfolio information, such as investment holdings, purchase prices, and performance data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-59708 results in unauthorized access to highly sensitive financial information. Attackers can retrieve full portfolio details, including asset holdings, quantities, buy prices, and performance metrics, of any Ghostfolio user whose private \u003ccode\u003eaccessId\u003c/code\u003e they possess. This exposure of detailed investment portfolios can lead to significant financial privacy breaches, enable targeted financial fraud, investment manipulation, or even facilitate advanced phishing campaigns. The vulnerability has a CVSS v3.1 base score of 7.5 (High), reflecting the severe confidentiality impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Ghostfolio installations to a version that addresses CVE-2026-59708. Refer to the commit \u003ccode\u003ehttps://github.com/ghostfolio/ghostfolio/commit/697ef59e3b58bebc5c21a9e482e4f5643390f316\u003c/code\u003e for the fix.\u003c/li\u003e\n\u003cli\u003eReview web application access logs for the \u003ccode\u003e/api/v1/public/*/portfolio\u003c/code\u003e endpoint for any unusual or unauthenticated access patterns, focusing on requests returning sensitive data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T19:19:32Z","date_published":"2026-07-07T19:19:32Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59708-ghostfolio/","summary":"An authorization bypass vulnerability (CVE-2026-59708) in Ghostfolio's GET /api/v1/public/:accessId/portfolio endpoint allows unauthenticated attackers with a private access ID to retrieve sensitive financial portfolio data, including holdings and performance metrics, due to missing `granteeUserId` filtering validation.","title":"CVE-2026-59708: Ghostfolio Unauthenticated Portfolio Data Exposure","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59708-ghostfolio/"}],"language":"en","title":"CraftedSignal Threat Feed - Ghostfolio","version":"https://jsonfeed.org/version/1.1"}