OpenID Session Token Vulnerability in Actual Personal Finance App
CVE-2026-49229
8.3HIGH
What is CVE-2026-49229?
The Actual Personal Finance App, in its configurations prior to version 26.6.0, presents a vulnerability wherein a disabled user retains access through existing OpenID session tokens. When a user is disabled, only future logins are blocked, allowing the user to still make authenticated requests as long as existing session tokens have not expired. This oversight in session validation can lead to potential unauthorized access to sensitive data, thereby undermining the application's security framework. The issue has since been addressed in the release of version 26.6.0.
Affected Version(s)
actual < 26.6.0
