actual Allows Electron to Run As Node
CVE-2026-42890

4.8MEDIUM

Key Information:

Vendor: Actualbudget
Status: Actual
Vendor: CVE Published:; 12 June 2026

🔔 Create Actualbudget Vulnerability Alert

What is CVE-2026-42890?

Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue.

Affected Version(s)

actual < 26.5.0

References

https://github.com/actualbudget/actual/security/advisorie...

x_refsource_CONFIRM

https://actualbudget.org/blog/release-26.5.0

x_refsource_MISC

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42890 Data

JSON