CVE-2026-33318: CWE-284: Improper Access Control in actualbudget actual
CVE-2026-33318 is a high-severity improper access control vulnerability in actualbudget's Actual personal finance tool versions prior to 26. 4. 0. It allows any authenticated user with a BASIC role to escalate privileges to ADMIN on servers migrated from password authentication to OpenID Connect. The exploit requires chaining three weaknesses: lack of authorization on the password change endpoint, persistence of an inactive password authentication record after migration, and acceptance of a client-supplied login method that bypasses active authentication configuration. The vulnerability is fixed in version 26. 4. 0.
AI Analysis
Technical Summary
Actualbudget Actual versions before 26.4.0 contain an improper access control vulnerability (CWE-284) that enables privilege escalation from BASIC to ADMIN roles on migrated servers. The vulnerability arises from a missing authorization check on the POST /account/change-password endpoint, allowing any authenticated session to overwrite password hashes. This is exploitable only if an inactive password authentication record remains after migration from password to OpenID Connect authentication, and if the login endpoint accepts a client-supplied loginMethod parameter forcing password-based authentication. These three weaknesses must be chained sequentially to achieve administrative access. The root cause is the missing authorization check on the password change endpoint. Version 26.4.0 includes a fix for this issue.
Potential Impact
Successful exploitation allows an authenticated user with BASIC privileges to escalate to ADMIN privileges, potentially compromising the entire server instance and all user data managed by Actual. The vulnerability affects confidentiality, integrity, and availability (CIA) with high impact scores. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
Upgrade to Actual version 26.4.0 or later, which contains a fix for this vulnerability. Since this is a local software product (not a cloud service), remediation requires applying the official update. Patch status is not explicitly stated in the vendor advisory, but version 26.4.0 is confirmed to contain the fix. Until upgraded, restrict access to authenticated users and monitor for suspicious password change requests if possible.
CVE-2026-33318: CWE-284: Improper Access Control in actualbudget actual
Description
CVE-2026-33318 is a high-severity improper access control vulnerability in actualbudget's Actual personal finance tool versions prior to 26. 4. 0. It allows any authenticated user with a BASIC role to escalate privileges to ADMIN on servers migrated from password authentication to OpenID Connect. The exploit requires chaining three weaknesses: lack of authorization on the password change endpoint, persistence of an inactive password authentication record after migration, and acceptance of a client-supplied login method that bypasses active authentication configuration. The vulnerability is fixed in version 26. 4. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Actualbudget Actual versions before 26.4.0 contain an improper access control vulnerability (CWE-284) that enables privilege escalation from BASIC to ADMIN roles on migrated servers. The vulnerability arises from a missing authorization check on the POST /account/change-password endpoint, allowing any authenticated session to overwrite password hashes. This is exploitable only if an inactive password authentication record remains after migration from password to OpenID Connect authentication, and if the login endpoint accepts a client-supplied loginMethod parameter forcing password-based authentication. These three weaknesses must be chained sequentially to achieve administrative access. The root cause is the missing authorization check on the password change endpoint. Version 26.4.0 includes a fix for this issue.
Potential Impact
Successful exploitation allows an authenticated user with BASIC privileges to escalate to ADMIN privileges, potentially compromising the entire server instance and all user data managed by Actual. The vulnerability affects confidentiality, integrity, and availability (CIA) with high impact scores. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
Upgrade to Actual version 26.4.0 or later, which contains a fix for this vulnerability. Since this is a local software product (not a cloud service), remediation requires applying the official update. Patch status is not explicitly stated in the vendor advisory, but version 26.4.0 is confirmed to contain the fix. Until upgraded, restrict access to authenticated users and monitor for suspicious password change requests if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-18T21:23:36.677Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eada9887115cfb68a5e998
Added to database: 4/24/2026, 2:51:04 AM
Last enriched: 4/24/2026, 3:06:20 AM
Last updated: 4/24/2026, 5:10:18 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.