CVE-2026-33318

HIGH EPSS 37.3%
Published Apr 24, 20262mo ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. The three weaknesses form a single, sequential exploit chain — none produces privilege escalation on its own. Missing authorization on POST /change-password allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. Version 26.4.0 contains a fix.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
37.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 2

CWE-284
CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
actualbudgetactual* <26.4.0

References 2

  • actualbudget.org https://actualbudget.org/blog/release-26.4.0
    Release Notes
  • github.com https://github.com/actualbudget/actual/security/advisories/GHSA-prp4-2f49-fcgp
    ExploitMitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.