Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-59708

HIGH NVD
CVSS Score 7.5
Severity HIGH
Published Jul 07, 2026
Vendor unknown

Description

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.

References