CVE-2026-49229
Received Received - Intake

OpenID Session Token Persistence in Actual Finance App

Vulnerability report for CVE-2026-49229, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
actual actual 26.6.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Actual personal finance app in versions prior to 26.6.0 when using OpenID multi-user mode. When a user is disabled, the system only blocks future OpenID logins for that user identity. However, any existing session tokens for the disabled user remain valid because the session validation process does not check if the user is still enabled. This allows a disabled user to continue accessing authenticated server endpoints despite being disabled.

Impact Analysis

The vulnerability can allow a disabled user to maintain access to the application through existing session tokens. This means that even after disabling a user, that user could continue to perform actions and access sensitive data within the app, potentially leading to unauthorized access, data breaches, or misuse of the system.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Actual personal finance app to version 26.6.0 or later, where the issue is fixed.

Until the upgrade is applied, be aware that disabling a user in OpenID multi-user mode only blocks future logins but does not invalidate existing session tokens, so consider additional session management or token revocation strategies if possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49229. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart