{"api_version":"1","generated_at":"2026-07-08T18:27:45+00:00","cve":"CVE-2026-49229","urls":{"html":"https://cve.report/CVE-2026-49229","api":"https://cve.report/api/cve/CVE-2026-49229.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-49229","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-49229"},"summary":{"title":"Actual: Disabled OpenID users keep access through existing session tokens","description":"Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-07 22:16:52","updated_at":"2026-07-08 15:28:15"},"problem_types":["CWE-613","CWE-613 CWE-613: Insufficient Session Expiration"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"references":[{"url":"https://github.com/actualbudget/actual/releases/tag/v26.6.0","name":"https://github.com/actualbudget/actual/releases/tag/v26.6.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg","name":"https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/actualbudget/actual/commit/c8cb8a223a4faf1c2e1dcb0795a79a93f7b19e80","name":"https://github.com/actualbudget/actual/commit/c8cb8a223a4faf1c2e1dcb0795a79a93f7b19e80","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-49229","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49229","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"actualbudget","product":"actual","version":"affected < 26.6.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-49229","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-08T13:58:23.452582Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-08T13:58:43.272Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"actual","vendor":"actualbudget","versions":[{"status":"affected","version":"< 26.6.0"}]}],"descriptions":[{"lang":"en","value":"Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-613","description":"CWE-613: Insufficient Session Expiration","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-07T20:59:34.173Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg","tags":["x_refsource_CONFIRM"],"url":"https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg"},{"name":"https://github.com/actualbudget/actual/commit/c8cb8a223a4faf1c2e1dcb0795a79a93f7b19e80","tags":["x_refsource_MISC"],"url":"https://github.com/actualbudget/actual/commit/c8cb8a223a4faf1c2e1dcb0795a79a93f7b19e80"},{"name":"https://github.com/actualbudget/actual/releases/tag/v26.6.0","tags":["x_refsource_MISC"],"url":"https://github.com/actualbudget/actual/releases/tag/v26.6.0"}],"source":{"advisory":"GHSA-cq9c-6w48-qmfg","discovery":"UNKNOWN"},"title":"Actual: Disabled OpenID users keep access through existing session tokens"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-49229","datePublished":"2026-07-07T20:59:34.173Z","dateReserved":"2026-05-28T03:42:34.342Z","dateUpdated":"2026-07-08T13:58:43.272Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-07 22:16:52","lastModifiedDate":"2026-07-08 15:28:15","problem_types":["CWE-613","CWE-613 CWE-613: Insufficient Session Expiration"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":5.5}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-08T13:58:23.452582Z","id":"CVE-2026-49229","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"49229","Ordinal":"1","Title":"Actual: Disabled OpenID users keep access through existing sessi","CVE":"CVE-2026-49229","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"49229","Ordinal":"1","NoteData":"Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.","Type":"Description","Title":"Actual: Disabled OpenID users keep access through existing sessi"}]}}}