Actual Finance Tool: Local Admin Escalation via OIDC Migration Flaw
The National Vulnerability Database has disclosed CVE-2026-33318, a high-severity privilege escalation vulnerability impacting Actual, a local-first personal finance tool. Prior to version 26.4.0, any authenticated user, including those with a BASIC role, could escalate to ADMIN on servers that had migrated from password authentication to OpenID Connect (OIDC). This isn’t a simple oversight; it’s a chain of three distinct weaknesses that attackers can exploit sequentially.
The exploit chain hinges on a missing authorization check on POST /account/change-password, which allows any session to overwrite a password hash. This is combined with the fact that an inactive password authentication row isn’t removed post-migration, providing a target. Finally, the login endpoint accepts a client-supplied loginMethod of “password”, bypassing the server’s active OIDC configuration. An attacker can set a known password for an orphaned admin account and then force password-based authentication to log in as an administrator. Each weakness alone is harmless, but together they grant full administrative control.
This is a critical flaw for organizations using Actual with OIDC. The National Vulnerability Database confirms that version 26.4.0 contains the necessary fix. Defenders must prioritize patching to mitigate this clear path to local administrator privileges, which could lead to complete compromise of sensitive financial data.
What This Means For You
- If your organization uses Actual as a personal finance tool and has migrated from password authentication to OpenID Connect, you are exposed. Immediately verify your Actual instance version. Patch to 26.4.0 or newer without delay. This isn't a theoretical risk; it's a direct path for any authenticated user to gain admin privileges and access all financial data. Don't wait.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-33318 - Actual Finance Tool Local Admin Escalation via OIDC Migration Flaw
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33318 | Privilege Escalation | Actual personal finance tool versions prior to 26.4.0 |
| CVE-2026-33318 | Auth Bypass | POST /account/change-password endpoint with missing authorization check |
| CVE-2026-33318 | Misconfiguration | Inactive password 'auth' row not removed after OpenID Connect migration |
| CVE-2026-33318 | Auth Bypass | Login endpoint accepts client-supplied 'loginMethod' to bypass server's active auth configuration |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 06:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
D-Link DWM-222W Wi-Fi Adapter Vulnerable to Brute-Force Bypass
CVE-2026-6947 — DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits...
CVE-2026-6393 — The BetterDocs plugin for WordPress is vulnerable to
CVE-2026-6393 — The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing...
CVE-2026-5488 — The ExactMetrics – Google Analytics Dashboard for WordPress
CVE-2026-5488 — The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2....