Untriaged
Permalink
CVE-2026-49229
8.3 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
Actual: Disabled OpenID users keep access through existing session tokens
Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.
References
-
https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg x_refsource_CONFIRM
-
https://github.com/actualbudget/actual/releases/tag/v26.6.0 x_refsource_MISC
Affected products
actual
- ==< 26.6.0
Matching in nixpkgs
pkgs.actual-server
Super fast privacy-focused app for managing your finances
Package maintainers
-
@oddlama oddlama <oddlama@oddlama.org>
-
@yash-garg Yash Garg <me@yashgarg.dev>
-
@PatrickDaG Patrick <patrick-nixos@failmail.dev>
-
@honnip Jung seungwoo <me@honnip.page>