SCA: security update for @actual-app/sync-server (GHSA-prp4-2f49-fcgp)

high Tenable Cloud Security Plugin ID 440796

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including
`BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect.
Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session
to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the
login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth
configuration. Together these allow an attacker to set a known password and authenticate as the anonymous
admin account created during the multiuser migration. The three weaknesses form a single, sequential
exploit chain — none produces privilege escalation on its own. Missing authorization on POST /change-
password allows overwriting a password hash, but only matters if there is an orphaned row to target.
Orphaned password row persisting after migration provides the target row, but is harmless without the
ability to authenticate using it. Client-controlled loginMethod: "password" allows forcing password-based
auth, but is useless without a known hash established by step 1. All three must be chained in sequence to
achieve the impact. No single weakness independently results in privilege escalation. The single root
cause is the missing authorization check on /change-password; the other two are preconditions that make it
exploitable. Version 26.4.0 contains a fix. (CVE-2026-33318)

Solution

Update the @actual-app/sync-server library and its related packages to version 26.4.0 or later.

See Also

https://github.com/advisories/GHSA-prp4-2f49-fcgp

Plugin Details

Severity: High

ID: 440796

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/24/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.98

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-33318

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/23/2026

Vulnerability Publication Date: 4/23/2026

Reference Information

CVE: CVE-2026-33318