CVE-2026-39901: CVE-2026-39901: Authorization Bypass and Transaction Integrity Flaw in monetr

CVE-2026-39901: Authorization Bypass and Transaction Integrity Flaw in monetr

Vulnerability ID: CVE-2026-39901
CVSS Score: 5.7
Published: 2026-04-08

monetr budgeting application prior to version 1.12.3 contains an authorization bypass flaw. Authenticated tenant users can soft-delete immutable 'synced' transactions by injecting the deletedAt field into the update (PUT) API payload, bypassing restrictions on the standard DELETE endpoint.

TL;DR

A logic flaw in monetr < 1.12.3 allows authenticated users to bypass soft-delete restrictions on synced transactions via a crafted PUT request, undermining financial data integrity.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-285
• Attack Vector: Network
• CVSS Score: 5.7 (Medium)
• Impact: High Integrity Loss
• Exploit Status: Proof-of-Concept
• Authentication Required: Yes (Low Privilege)

Affected Systems

• monetr budgeting application prior to version 1.12.3
• monetr: < 1.12.3 (Fixed in: 1.12.3)

Mitigation Strategies

• Upgrade monetr to version 1.12.3 or later.
• Implement WAF rules to inspect JSON bodies for the deletedAt string in PUT requests.

Remediation Steps:

1. Identify all deployed instances of the monetr application.
2. Verify the current version number. If it is < 1.12.3, proceed with patching.
3. Pull the latest Docker image or binary for version 1.12.3.
4. Deploy the updated version and restart the application services.
5. Verify that submitting a PUT request with a deletedAt field no longer soft-deletes a synced transaction.

References

• GitHub Advisory GHSA-hqxq-hwqf-wg83
• NVD Record for CVE-2026-39901
• CVE.org Record for CVE-2026-39901

---

Read the full report for CVE-2026-39901 on our website for more details including interactive diagrams and full exploit analysis.