Actual: Disabled OpenID users keep access through existing session tokens
Summary
| CVE | CVE-2026-49229 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-07 22:16:52 UTC |
| Updated | 2026-07-08 15:28:15 UTC |
| Description | Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0. |
Risk And Classification
Primary CVSS: v3.1 8.3 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Problem Types: CWE-613 | CWE-613 CWE-613: Insufficient Session Expiration
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
| 3.1 | CNA | DECLARED | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
LowCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Actualbudget | Actual | affected < 26.6.0 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/actualbudget/actual/releases/tag/v26.6.0 | [email protected] | github.com | |
| github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | |
| github.com/actualbudget/actual/commit/c8cb8a223a4faf1c2e1dcb0795a79a93f7... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.