CVE-2026-49229
Actual: Disabled OpenID users keep access through existing session tokens
CVSS Score
8.3
EPSS Score
0.4%
EPSS Percentile
35th
Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.
| CWE | CWE-613 |
| Vendor | actualbudget |
| Product | actual |
| Published | Jul 7, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for actualbudget actual
Be the first to know when new high vulnerabilities affecting actualbudget actual are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
actualbudget / actual
< 26.6.0