Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migra…

CVE-2026-33318 affects Actual, a local-first personal finance tool prior to version 26.4.0. The vulnerability allows any authenticated user with BASIC role to escalate to ADMIN privileges on servers migrated from password authentication to OpenID Connect. Three weaknesses combine to form an exploit chain: missing authorization check on POST /account/change-password endpoint, orphaned password authentication rows persisting after migration, and client-controlled loginMethod parameter bypassing server auth configuration. Attackers can exploit this chain to set a known password and authenticate as the anonymous admin account created during multiuser migration. Version 26.4.0 contains the fix.