EXECUTIVE SUMMARY:
CVE-2026-33318 with a CVSS score of 8.8 is a vulnerability in Package @actual-app/sync-server, affecting versions. The vulnerability allows an authenticated user to escalate to ADMIN on servers migrated from password authentication to OpenID Connect, by leveraging three weaknesses: the "/account/change-password" endpoint lacks authorization checks, the inactive password "auth" row is never removed on migration, and the login endpoint accepts a client-supplied "loginMethod" that bypasses the server's active auth configuration. An attacker with any valid OpenID session token can exploit this vulnerability by overwriting the password hash, logging in via the password method, and obtaining an ADMIN session, resulting in privilege escalation, enabling the attacker to manage all users, access all budget files, modify file access controls, and change server configuration. Prerequisites for exploitation include a server originally bootstrapped with password auth, then switched to OpenID, with a default "allowedLoginMethods" configuration and an attacker possessing any valid OpenID session token.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-33318 with a CVSS score of 8.8 is a vulnerability in Package @actual-app/sync-server, affecting versions. The vulnerability allows an authenticated user to escalate to ADMIN on servers migrated from password authentication to OpenID Connect, by leveraging three weaknesses: the "/account/change-password" endpoint lacks authorization checks, the inactive password "auth" row is never removed on migration, and the login endpoint accepts a client-supplied "loginMethod" that bypasses the server's active auth configuration. An attacker with any valid OpenID session token can exploit this vulnerability by overwriting the password hash, logging in via the password method, and obtaining an ADMIN session, resulting in privilege escalation, enabling the attacker to manage all users, access all budget files, modify file access controls, and change server configuration. Prerequisites for exploitation include a server originally bootstrapped with password auth, then switched to OpenID, with a default "allowedLoginMethods" configuration and an attacker possessing any valid OpenID session token.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update @actual-app/sync-server to version 26.4.0 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-prp4-2f49-fcgp