CVE-2026-33318
Published: 24 April 2026
Summary
CVE-2026-33318 is a high-severity Improper Access Control (CWE-284) vulnerability in Actualbudget Actual. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved access authorizations on endpoints like POST /account/change-password, directly preventing unauthorized users from overwriting admin password hashes.
Implements least privilege to restrict BASIC role users from performing administrative actions such as privilege escalation via password hash manipulation.
Manages accounts by disabling or removing inactive authentication rows, such as orphaned password auth for anonymous admin post-migration to OpenID Connect.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on change-password endpoint plus loginMethod bypass enables any low-priv user to overwrite an orphaned admin password hash and authenticate as admin, directly facilitating account manipulation (T1098) via exploitation of the software vulnerability for privilege escalation (T1068).
NVD Description
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing…
more
any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration. The three weaknesses form a single, sequential exploit chain — none produces privilege escalation on its own. Missing authorization on POST /change-password allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" allows forcing password-based auth, but is useless without a known hash established by step 1. All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. Version 26.4.0 contains a fix.
Deeper analysisAI
CVE-2026-33318 is a privilege escalation vulnerability affecting Actual, a local-first personal finance tool, in versions prior to 26.4.0. The issue impacts multiuser servers that have been migrated from password authentication to OpenID Connect, where an inactive password authentication row for an anonymous admin account persists. It stems from three chained weaknesses: a missing authorization check on the POST /account/change-password endpoint, which allows any authenticated session to overwrite a password hash; the failure to remove the orphaned password auth row during migration; and the login endpoint's acceptance of a client-supplied loginMethod parameter, which bypasses the server's active authentication configuration. These combine into a sequential exploit chain rated at CVSS 3.1 score 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization), with the root cause being the lack of authorization on the change-password endpoint.
Any authenticated user, including those with only a BASIC role, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. The attacker first uses their existing session to POST to /account/change-password and overwrite the password hash of the orphaned admin account with a known value. They then authenticate via the login endpoint by supplying loginMethod="password" and the known password, bypassing OpenID Connect and gaining access as the anonymous admin account with ADMIN privileges. This grants high confidentiality, integrity, and availability impact, enabling full administrative control over the server.
Advisories from the Actual Budget release notes and GitHub security advisory GHSA-prp4-2f49-fcgp confirm that version 26.4.0 resolves the vulnerability by addressing the missing authorization check and related issues in the exploit chain. Security practitioners should upgrade affected Actual servers to version 26.4.0 or later, particularly those using multiuser mode post-migration to OpenID Connect, and review access logs for signs of exploitation such as unauthorized change-password requests or anomalous password-based logins.
Details
- CWE(s)