GHSA-fqj2-r74g-4gfpHighCVSS 7.5
The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs...
🔗 CVE IDs covered (1)
📋 Description
The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.
🔗 References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2026-59708
- https://github.com/ghostfolio/ghostfolio/issues/7197
- https://github.com/ghostfolio/ghostfolio/commit/697ef59e3b58bebc5c21a9e482e4f5643390f316
- https://github.com/ghostfolio/ghostfolio
- https://www.vulncheck.com/advisories/ghostfolio-unauthorized-portfolio-data-exposure-via-public-endpoint
- https://github.com/advisories/GHSA-fqj2-r74g-4gfp