Vulnerability in Actualbudget Actual

CVE-2026-49229

Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shar…

CVSS v3 metric

CVSS v3 base score 8.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2026-49229?
CVE-2026-49229 is a high-severity vulnerability in Actualbudget Actual, classified under Insufficient Session Expiration. CVSS score: 8.3/10. Published 2026-07-07.
How severe is CVE-2026-49229?
High severity. CVSS v3 base score is 8.3 out of 10.