CVE-2026-59708

Summary

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.

Affected Software

VendorProductVersion RangeStatus
ghostfolioghostfolio0 <= 3.6.0affected
ghostfolioghostfolio0 <= 697ef59affected

Weaknesses

  • CWE-862: Missing Authorization

References