CVE-2026-23844 – Whisper Money versions before 0.1.5 have an ins... (How to Fix)

Q: What is the severity of CVE-2026-23844?

CVE-2026-23844 has a CVSS score of 4.3 (MEDIUM). Whisper Money versions before 0.1.5 have an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. This affects all users of vulnerable versions who have access to the application. The vulnerability enables unauthorized financial data manipulation.

📋 TL;DR

Whisper Money versions before 0.1.5 have an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. This affects all users of vulnerable versions who have access to the application. The vulnerability enables unauthorized financial data manipulation.

💻 Affected Systems

Products:

Whisper Money

Versions: All versions prior to 0.1.5

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Whisper Money by Whisper.money

View all CVEs affecting Whisper Money →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious users could manipulate financial records across all user accounts, potentially causing financial losses, data corruption, and regulatory compliance violations.

🟠

Likely Case

Users accidentally or intentionally modifying other users' account balances, leading to inaccurate financial reporting and potential disputes.

🟢

If Mitigated

With proper access controls, users can only modify their own account data, maintaining data integrity and privacy.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.5

Vendor Advisory: https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74

Restart Required: Yes

Instructions:

1. Backup your current installation and data
2. Update to version 0.1.5 using your package manager or download from official repository
3. Restart the Whisper Money service
4. Verify the update was successful

🔧 Temporary Workarounds

Implement API access controls

all

Add server-side authorization checks to verify users can only access their own account data

🧯 If You Can't Patch

Implement network segmentation to isolate Whisper Money from sensitive systems
Enable detailed audit logging for all account modification operations

🔍 How to Verify

Check if Vulnerable:

Check if Whisper Money version is below 0.1.5 in application settings or via package manager

Check Version:

whisper-money --version or check package manager (apt list whisper-money, yum list whisper-money, etc.)

Verify Fix Applied:

Verify version is 0.1.5 or higher and test that users cannot modify other users' account balances

📡 Detection & Monitoring

Log Indicators:

Multiple account balance modifications from single user in short timeframe
User ID mismatch between authenticated user and modified account records

Network Indicators:

Unusual patterns of API calls to account modification endpoints

SIEM Query:

source="whisper-money" AND (event="account_update" OR event="balance_modify") | stats count by user_id, target_account_id | where user_id != target_account_id

📊 Metadata

CVE ID: CVE-2026-23844

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-488

EPSS Score: 0.03% exploit probability (7.1th percentile)

Published: January 19, 2026

Last Updated: February 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23844, you might also want to check these: