Description
Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue.
Published: 2026-06-12
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Electron fused feature ELECTRON_RUN_AS_NODE not being disabled in the macOS desktop version 25.x of the Actual application. An attacker who can place a file on disk or supply command‑line arguments can invoke the signed Actual.app binary with the environment variable ELECTRON_RUN_AS_NODE set to 1, which transforms the app into a Node.js REPL. This grants the attacker the ability to execute arbitrary code that runs with the application's entitlements and signed code, effectively bypassing macOS Gatekeeper review. This is a code‑injection flaw (CWE‑94) and results in remote code execution with the full privileges of the application. The impact is significant for confidentiality, integrity, and availability of the user’s financial data and system.

Affected Systems

All installations of the macOS desktop application of Actual prior to version 26.5.0 that were built on Electron 39.2.7 are affected. The issue is resolved in version 26.5.0, which disables the ELECTRON_RUN_AS_NODE fuse, making the vulnerability moot after the upgrade.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity. The EPSS score is less than 1 %, reflecting a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to influence the environment in which Actual is launched, such as by dropping a script on disk or manipulating command‑line arguments. The likely attack vector is local, where a user who can write to the application’s directory or launch the binary can trigger the exploit.

Generated by OpenCVE AI on June 12, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to Actual 26.5.0 or later, which disables ELECTRON_RUN_AS_NODE and removes the exploitation path.
  • If an immediate upgrade is not possible, isolate the Actual.app binary in a sandboxed environment that blocks setting the ELECTRON_RUN_AS_NODE environment variable or the use of arbitrary command‑line arguments. This works around the issue by preventing the attacker from activating the Node REPL.
  • Enforce macOS security features such as Gatekeeper, Hardened Runtime, or user‑level execution policies to restrict execution of unsigned or altered binaries, ensuring that only the properly signed and verified Actual binary runs.

Generated by OpenCVE AI on June 12, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7rvm-xjpp-63r9 actual Allows Electron to Run As Node
History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Actualbudget
Actualbudget actual
Vendors & Products Actualbudget
Actualbudget actual

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue.
Title actual Allows Electron to Run As Node
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Actualbudget Actual
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:04:10.446Z

Reserved: 2026-04-30T18:49:06.712Z

Link: CVE-2026-42890

cve-icon Vulnrichment

Updated: 2026-06-12T20:04:06.861Z

cve-icon NVD

Status : Received

Published: 2026-06-12T20:16:45.580

Modified: 2026-06-12T20:16:45.580

Link: CVE-2026-42890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:30:06Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')