Description
monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3.
Published: 2026-04-08
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Deletion of Protected Transactions
Action: Apply Patch
AI Analysis

Impact

In monetr, a budgeting application, a transaction integrity flaw permits an authenticated tenant user to soft‑delete imported non‑manual transactions through the update (PUT) endpoint, even though the standard DELETE route explicitly blocks such deletions. By setting the deleted flag on these protected records, a user can hide them from normal views, thereby compromising the integrity of the application's transaction data.

Affected Systems

The issue impacts all monetr installations running versions prior to 1.12.3. Any tenant user with authentication privileges can exploit the flaw by using the transaction update API to delete protected transactions.

Risk and Exploitability

The vulnerability is assigned a CVSS score of 5.7, indicating moderate severity. EPSS data is not available, and it is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user leveraging the PUT endpoint; this inference is drawn from the description of the update-based deletion capability. Because authorization is required, the flaw is not publicly exploitable without tenant credentials, but it undermines internal data integrity controls and warrants prompt mitigation.

Generated by OpenCVE AI on April 8, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade monetr to version 1.12.3 or later.
  • Verify that the transaction update endpoint no longer permits deletion of protected transactions.

Generated by OpenCVE AI on April 8, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hqxq-hwqf-wg83 monetr: Protected Transactions Deletable via PUT
History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Monetr
Monetr monetr
Vendors & Products Monetr
Monetr monetr

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3.
Title monetr: Protected Transactions Deletable via PUT
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Monetr Monetr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T21:02:56.280Z

Reserved: 2026-04-07T20:32:03.012Z

Link: CVE-2026-39901

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:22.010

Modified: 2026-04-08T22:16:22.010

Link: CVE-2026-39901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:09Z

Weaknesses