CVE-2026-59708
HIGH
NVD
CVSS Score
7.5
Severity
HIGH
Published
Jul 07, 2026
Vendor
unknown
Description
The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.