Back to overview

CVE-2026-49229

HIGH
8.3
CVSS 3.1
Description
Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.

Metadata

CVE ID
CVE-2026-49229
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-28 03:42 UTC
Published
2026-07-07 20:59 UTC
Last updated
2026-07-07 20:59 UTC
Primary CWE
CWE-613
CWE-613: Insufficient Session Expiration
Vendor / Product
actualbudget / actual
Sources
cve.org  ·  NVD

Severity & Metrics

8.3 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Affected products (1)
VendorProductPlatformVersions
actualbudget actual < 26.6.0
Weakness (CWE)
CWESourceDescription
CWE-613 cna CWE-613: Insufficient Session Expiration
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.3 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
References (3)
Back to overview