CVE-2026-49229
HIGH
8.3
CVSS 3.1
Description
Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.
Metadata
Severity & Metrics
8.3
HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| actualbudget | actual | — | < 26.6.0 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-613 | cna | CWE-613: Insufficient Session Expiration |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.3 | HIGH | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
References (3)
- https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg
- https://github.com/actualbudget/actual/commit/c8cb8a223a4faf1c2e1dcb0795a79a93f7b19e80 https://github.com/actualbudget/actual/commit/c8cb8a223a4faf1c2e1dcb0795a79a93f7b19e80
- https://github.com/actualbudget/actual/releases/tag/v26.6.0 https://github.com/actualbudget/actual/releases/tag/v26.6.0