CVE-2026-33318
Description
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including BASIC role) can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowing any session to overwrite the password hash; the inactive password auth row is never removed on migration; and the login endpoint accepts a client-supplied loginMethod that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. The three weaknesses form a single, sequential exploit chain — none produces privilege escalation on its own. Missing authorization on POST /change-password allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. Version 26.4.0 contains a fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@actual-app/sync-servernpm | < 26.4.0 | 26.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/actualbudget/actual/security/advisories/GHSA-prp4-2f49-fcgpnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-prp4-2f49-fcgpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33318ghsaADVISORY
- actualbudget.org/blog/release-26.4.0nvdRelease NotesWEB
News mentions
41- Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student dataThe Register Security · May 14, 2026
- To gain root access at this company, all an intruder had to do was ask nicelyThe Register Security · May 14, 2026
- To gain root access at this company, all an intruder had to do was ask nicelyThe Register Security · May 14, 2026
- AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?The Register Security · May 13, 2026
- Breaking things to keep them safe with Philippe LaulheretCisco Talos Intelligence · May 13, 2026
- [GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)SANS Internet Storm Center · May 13, 2026
- How Rapid7 is bringing Cyber GRC closer to security operationsRapid7 Blog · May 12, 2026
- When "idle" isn't idle: how a Linux kernel optimization became a QUIC bugCloudflare Blog · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- The State of Ransomware – Q1 2026Check Point Research · May 11, 2026
- Worm rubs out competitor's malware, then takes controlThe Register Security · May 8, 2026
- Why the approaching flood of vulnerabilities changes everything — and what to do about itTenable Blog · May 8, 2026
- When DNSSEC goes wrong: how we responded to the .de TLD outageCloudflare Blog · May 6, 2026
- Attackers Actively Exploiting Critical Vulnerability in Breeze Cache PluginWordfence Blog · May 5, 2026
- UAT-8302 and its box full of malwareCisco Talos Intelligence · May 5, 2026
- CloudZ RAT potentially steals OTP messages using Pheno pluginCisco Talos Intelligence · May 5, 2026
- Introducing Dynamic Workflows: durable execution that follows the tenantCloudflare Blog · May 1, 2026
- New infosec products of the month: April 2026Help Net Security · May 1, 2026
- More PayPal emails hijacked to deliver tech support scamsMalwarebytes Labs · Apr 30, 2026
- Finance company stores DB credentials in helpfully labeled spreadsheetThe Register Security · Apr 30, 2026
- VECT: Ransomware by design, Wiper by accidentCheck Point Research · Apr 28, 2026
- As the NVD scales back CVE enrichment, here’s what Tenable customers need to knowTenable Blog · Apr 27, 2026
- It pays to be a forever studentCisco Talos Intelligence · Apr 23, 2026
- Five steps to become Mythos readyTenable Blog · Apr 23, 2026
- UAT-4356's Targeting of Cisco Firepower DevicesCisco Talos Intelligence · Apr 23, 2026
- Project Glasswing and the Next Challenge for Defenders: Turning Faster Discovery into Faster ActionRapid7 Blog · Apr 20, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026
- Building the agentic cloud: everything we launched during Agents Week 2026Cloudflare Blog · Apr 20, 2026
- Metasploit Wrap-Up 04/17/2026Rapid7 Blog · Apr 17, 2026
- Introducing the Agent Readiness score. Is your site agent-ready?Cloudflare Blog · Apr 17, 2026
- Shared Dictionaries: compression that keeps up with the agentic webCloudflare Blog · Apr 17, 2026
- Unweight: how we compressed an LLM 22% without sacrificing qualityCloudflare Blog · Apr 17, 2026
- Agents that remember: introducing Agent MemoryCloudflare Blog · Apr 17, 2026
- Frontier AI Reinforces the Future of Modern Cyber DefenseSentinelOne Labs · Apr 16, 2026
- Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload PluginWordfence Blog · Apr 16, 2026
- Artifacts: versioned storage that speaks GitCloudflare Blog · Apr 16, 2026
- Attackers Actively Exploiting Critical Vulnerability in Kali Forms PluginWordfence Blog · Apr 13, 2026
- Risky Business #832 -- Anthropic unveils magical 0day computer GodRisky Business · Apr 8, 2026
- AI Threat Landscape Digest January-February 2026Check Point Research · Mar 29, 2026
- ABB Automation Builder Gateway for WindowsCISA Alerts
- Siemens SIMATICCISA Alerts