๐Ÿ” CVE Alert

CVE-2026-49229

HIGH 8.3

Actual: Disabled OpenID users keep access through existing session tokens

CVSS Score
8.3
EPSS Score
0.4%
EPSS Percentile
35th

Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.

CWE CWE-613
Vendor actualbudget
Product actual
Published Jul 7, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for actualbudget actual

Be the first to know when new high vulnerabilities affecting actualbudget actual are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Affected Versions

actualbudget / actual
< 26.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg github.com: https://github.com/actualbudget/actual/commit/c8cb8a223a4faf1c2e1dcb0795a79a93f7b19e80 github.com: https://github.com/actualbudget/actual/releases/tag/v26.6.0