top of page
perceptive_background_267k.jpg

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migra…

Published:

23 April 2026 at 22:00:00

Alert date:

24 April 2026 at 19:03:24

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Identity & Access

CVE-2026-33318 affects Actual, a local-first personal finance tool prior to version 26.4.0. The vulnerability allows any authenticated user with BASIC role to escalate to ADMIN privileges on servers migrated from password authentication to OpenID Connect. Three weaknesses combine to form an exploit chain: missing authorization check on POST /account/change-password endpoint, orphaned password authentication rows persisting after migration, and client-controlled loginMethod parameter bypassing server auth configuration. Attackers can exploit this chain to set a known password and authenticate as the anonymous admin account created during multiuser migration. Version 26.4.0 contains the fix.

Technical details

Mitigation steps:

Affected products:

Actual

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-33318
https://actualbudget.org/blog/release-26.4.0
https://github.com/actualbudget/actual/security/advisories/GHSA-prp4-2f49-fcgp

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page