OpenID Session Token Vulnerability in Actual Personal Finance App
CVE-2026-49229

8.3HIGH

Key Information:

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-49229?

The Actual Personal Finance App, in its configurations prior to version 26.6.0, presents a vulnerability wherein a disabled user retains access through existing OpenID session tokens. When a user is disabled, only future logins are blocked, allowing the user to still make authenticated requests as long as existing session tokens have not expired. This oversight in session validation can lead to potential unauthorized access to sensitive data, thereby undermining the application's security framework. The issue has since been addressed in the release of version 26.6.0.

Affected Version(s)

actual < 26.6.0

References

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.