Vulnerability in Actualbudget Actual
CVE-2026-49229
Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shar…
CVSS v3 metric
CVSS v3 base score 8.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L.
Affected products
- Actualbudget Actual — versions < 26.6.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-49229?
- CVE-2026-49229 is a high-severity vulnerability in Actualbudget Actual, classified under Insufficient Session Expiration. CVSS score: 8.3/10. Published 2026-07-07.
- How severe is CVE-2026-49229?
- High severity. CVSS v3 base score is 8.3 out of 10.