CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49229

highCVSS 8.3covered by 1 sourcefirst seen 2026-07-07
Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row that has not expired without checking whether the associated user is still enabled, allowing a disabled user to continue calling authenticated server endpoints. This issue is fixed in version 26.6.0.

⚡ Watch CVE-2026-49229

Get an email if CVE-2026-49229 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-49229

CVE.org record

Embed the live status

CVE-2026-49229 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49229 status](https://www.csirts.com/badge/CVE-2026-49229)](https://www.csirts.com/cve/CVE-2026-49229)