{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23844", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.842Z", "datePublished": "2026-01-19T20:43:29.212Z", "dateUpdated": "2026-01-20T15:54:02.974Z"}, "containers": {"cna": {"title": "Whisper Money has IDOR Vulnerability on sync/balances endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-488", "lang": "en", "description": "CWE-488: Exposure of Data Element to Wrong Session", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74"}, {"name": "https://github.com/whisper-money/whisper-money/pull/60", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisper-money/whisper-money/pull/60"}, {"name": "https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686"}], "affected": [{"vendor": "whisper-money", "product": "whisper-money", "versions": [{"version": "< 0.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:43:29.212Z"}, "descriptions": [{"lang": "en", "value": "Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue."}], "source": {"advisory": "GHSA-c4g3-wpxr-2m74", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:53:46.959807Z", "id": "CVE-2026-23844", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:54:02.974Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T15:53:46.959807Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:53:52.164Z"}}], "cna": {"title": "Whisper Money has IDOR Vulnerability on sync/balances endpoint", "source": {"advisory": "GHSA-c4g3-wpxr-2m74", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "whisper-money", "product": "whisper-money", "versions": [{"status": "affected", "version": "< 0.1.5"}]}], "references": [{"url": "https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74", "name": "https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/whisper-money/whisper-money/pull/60", "name": "https://github.com/whisper-money/whisper-money/pull/60", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686", "name": "https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-488", "description": "CWE-488: Exposure of Data Element to Wrong Session"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:43:29.212Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23844", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:54:02.974Z", "dateReserved": "2026-01-16T15:46:40.842Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T20:43:29.212Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whisper.money:whisper_money:*:*:*:*:*:*:*:*", "matchCriteriaId": "10737ED6-1DD2-4FC6-80DB-CC3DB723EAFD", "versionEndExcluding": "0.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue."}], "id": "CVE-2026-23844", "lastModified": "2026-02-05T18:49:26.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-19T21:15:51.207", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/whisper-money/whisper-money/pull/60"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-488"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:48:52.759216+00:00", "value": {"mitigation_remediation": ["Upgrade Whisper Money to version 0.1.5 or newer to eliminate the IDOR flaw.", "Enforce strict ownership checks on all balance\u2011modifying endpoints so that only the account owner can update balances.", "Add logging and monitoring for all balance changes to detect unauthorized activity promptly."], "summary": {"action": "Patch Upgrade", "impact": "Unauthorized Financial Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Whisper Money personal finance application before version 0.1.5. Users running any pre\u20110.1.5 release are susceptible. The issue has been addressed in version 0.1.5 and later.", "description_and_impact": "Whisper Money\u2019s sync/balances endpoint suffers from an insecure direct object reference that allows an authenticated user to modify balances in other users\u2019 bank accounts, potentially leading to unauthorized financial changes. The flaw corresponds to CWE\u2011639 and CWE\u2011488. An attacker can manipulate account balances without privilege escalation, resulting in monetary loss or incorrect account state.", "risk_and_exploitability": "The CVSS score of 4.9 indicates low to medium severity, and the EPSS score is below 1%, suggesting a low probability of observed exploitation. The flaw is not listed in CISA\u2019s KEV catalog. The likely attack vector is a remote user sending crafted requests to the sync/balances endpoint after authenticating, taking advantage of missing ownership checks. Even though exploitation is unlikely, the impact on financial data can be significant."}}}}, "created": "2026-01-20T08:40:25.759391+00:00", "updated": "2026-04-18T16:00:04.281187+00:00", "vendors": ["whisper-money", "whisper-money$PRODUCT$whisper-money"]}