Description
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. The three weaknesses form a single, sequential exploit chain — none produces privilege escalation on its own. Missing authorization on POST /change-password allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. Version 26.4.0 contains a fix.
Published: 2026-04-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Actual is a local‑first personal finance application that, prior to version 26.4.0, allows any authenticated user, including those with a BASIC role, to attain administrative privileges on servers transitioned from password authentication to OpenID Connect. The attacker must first overwrite an orphaned password hash via POST /account/change-password, then use a client‑supplied loginMethod to force password authentication against that hash, and finally authenticate as the anonymous admin account created during the migration. The weakest point is the missing authorization check on the /change-password endpoint; the other weaknesses are preconditions that allow the chain to succeed. If all three steps succeed the attacker can modify all data and execute any action as an admin, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The affected product is Actual from actualbudget. Versions older than 26.4.0 on servers that migrated to OpenID Connect are vulnerable. The vulnerability exists for installations that still retain orphaned password rows after migration to OpenID Connect. No specific operating system or Node.js version is indicated beyond the general dependency on Node.js for the application.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity impact. The EPSS score is less than 1%, indicating a very low probability of exploitation in the wild, yet the vulnerability has been documented in a public advisory and exists in deployed, unpatched systems. Because the exploitation chain requires sequential steps—overwriting a password hash, forcing a password login, and authenticating as the anonymous admin—the attack vector is likely internal or from a compromised authenticated session. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS rating warrants prompt remediation The lack of an authorization check on /change-password is the root cause and allows an attacker who can reach the endpoint to obtain full administrative control if the preconditions are present.

Generated by OpenCVE AI on April 28, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Actual 26.4.0 or later to apply the vendor-fix.
  • Remove any orphaned password rows left over from a migration to OpenID Connect by running the appropriate database cleanup scripts.
  • Disable or restrict the POST /account/change-password endpoint to only authorized administrators, ensuring that only users with administrative roles can change passwords.
  • Configure the server to enforce OpenID Connect for all authentication requests and disable legacy password‑based login methods.

Generated by OpenCVE AI on April 28, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-prp4-2f49-fcgp Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
History

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Actualbudget
Actualbudget actual
CPEs cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*
Vendors & Products Actualbudget
Actualbudget actual

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. The three weaknesses form a single, sequential exploit chain — none produces privilege escalation on its own. Missing authorization on POST /change-password allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. Version 26.4.0 contains a fix.
Title Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
Weaknesses CWE-284
CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Actualbudget Actual
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:44:08.129Z

Reserved: 2026-03-18T21:23:36.677Z

Link: CVE-2026-33318

cve-icon Vulnrichment

Updated: 2026-04-25T01:44:03.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:11.203

Modified: 2026-04-27T15:01:34.633

Link: CVE-2026-33318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses