A vulnerability, which was classified as critical, was found in Ghostfolio up to 3.6.0. This issue affects some unknown processing of the file /api/v1/portfolio/holding of the component Access Control. The manipulation of the argument Impersonation-Id results in permission issues.
This vulnerability is cataloged as CVE-2026-59709. The attack may be launched remotely. There is no exploit available.