CVE-2026-33318 affects Actualbudget's Actual personal finance tool versions prior to 26.4.0. The vulnerability arises from a missing authorization check on the POST /account/change-password endpoint, allowing any authenticated user to overwrite password hashes. This alone is insufficient for privilege escalation but becomes exploitable when combined with two other conditions: an orphaned inactive password authentication row that remains after migrating from password-based authentication to OpenID Connect, and the login endpoint accepting a client-supplied loginMethod parameter that can force password-based authentication. Together, these weaknesses form a sequential exploit chain enabling a basic user to escalate privileges to admin by setting a known password for the orphaned admin account and authenticating as that admin. The root cause is the missing authorization on the password change endpoint, with the other two conditions acting as necessary preconditions. The vulnerability has a CVSS 3.1 score of 8.8 (High). Version 26.4.0 contains a fix.

Successful exploitation allows an authenticated user with basic privileges to escalate to administrative privileges on affected Actualbudget Actual servers migrated from password authentication to OpenID Connect. This results in full confidentiality, integrity, and availability impact (C:H/I:H/A:H) as the attacker gains admin-level control. No known exploits in the wild have been reported.

Version 26.4.0 of Actualbudget Actual contains an official fix that addresses this vulnerability by adding proper authorization checks on the password change endpoint and correcting the migration process to remove inactive password authentication rows. Users should upgrade to version 26.4.0 or later to remediate this issue. Since this is a self-hosted application, administrators must apply the update manually. Patch status is not explicitly stated beyond the fix in 26.4.0; check vendor advisories for the latest remediation guidance.