CVE-2026-33318: Privilege Escalation via Sequential Exploit Chain in Actual sync-server
Vulnerability ID: CVE-2026-33318
CVSS Score: 8.8
Published: 2026-04-23
Actual versions prior to 26.4.0 contain a critical privilege escalation vulnerability within the sync-server component. The flaw affects environments migrating to OpenID Connect (OIDC) and allows an authenticated user with a basic role to hijack an administrative account via an orphaned password record.
TL;DR
A privilege escalation vulnerability in Actual's sync-server allows authenticated users with basic roles to obtain administrative privileges. The issue stems from missing authorization checks on password change endpoints, blind credential overwrites, and improper handling of client-controlled authentication methods during OIDC migration.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-284, CWE-862
- Attack Vector: Network (AV:N)
- CVSS Score: 8.8 (High)
- Privileges Required: Low (PR:L)
- User Interaction: None (UI:N)
- Exploit Status: weaponized
Affected Systems
- Actual sync-server component (prior to v26.4.0)
-
Actual: < 26.4.0 (Fixed in:
26.4.0)
Mitigation Strategies
- Upgrade the Actual software to version 26.4.0 or later.
- Manually audit the sync-server database for inactive authentication records.
- Implement network-level access controls to restrict access to the sync-server API.
Remediation Steps:
- Download the Actual version 26.4.0 release.
- Deploy the updated sync-server container or application.
- Connect to the underlying SQLite database hosting the sync-server data.
- Execute
DELETE FROM auth WHERE method = 'password' AND active = 0;to purge ghost records.
References
- GitHub Security Advisory GHSA-prp4-2f49-fcgp
- Actual Budget Release 26.4.0 Blog Post
- CVE.org Record for CVE-2026-33318
- Actual Budget Primary Repository
Read the full report for CVE-2026-33318 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)