GHSA-fqj2-r74g-4gfpHighCVSS 7.5

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs...

Published
July 7, 2026
Last Modified
July 7, 2026

🔗 CVE IDs covered (1)

📋 Description

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.

🔗 References (6)