2 matches found
CVE-2026-49229
Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row...
CVE-2026-49229
creationtimestamp| type| source ---|---|--- 2026-06-12 20:15:56+00:00| published-proof-of-concept| https://github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg 2026-07-07 23:42:50+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mq3rthnc4p2e...