Local Security Flaw in Actual Personal Finance Tool Affects User Privileges
CVE-2026-33318

8.8HIGH

Key Information:

Vendor: Actualbudget
Status: Actual
Vendor: CVE Published:; 24 April 2026

🔔 Create Actualbudget Vulnerability Alert

What is CVE-2026-33318?

The Actual Personal Finance Tool has a serious vulnerability that allows authenticated users, even those with a BASIC role, to escalate privileges to ADMIN on servers transitioned from password authentication to OpenID Connect. This occurs due to a combination of three specific weaknesses: the absence of an authorization check on the password change endpoint, the retention of inactive password entries after migration, and a client-controlled login method that circumvents active authentication configurations. This exploit requires a precise sequence of steps to be effective; without the combination, each weakness alone does not allow for privilege escalation. Version 26.4.0 includes a fix to address these issues, underscoring the importance of software updates to maintain system security.

Affected Version(s)

actual < 26.4.0

References

https://github.com/actualbudget/actual/security/advisorie...

x_refsource_CONFIRM

https://actualbudget.org/blog/release-26.4.0

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33318 Data

JSON