CVE-2026-49229 PUBLISHED

Actual: Disabled OpenID users keep access through existing session tokens

Assigner: GitHub_M
Reserved: 28.05.2026 Published: 07.07.2026 Updated: 08.07.2026

Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS Score: 8.3

Product Status

Vendor actualbudget
Product actual
Versions
  • Version < 26.6.0 is affected

References

Problem Types

  • CWE-613: Insufficient Session Expiration CWE