{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/actual/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@actual-app/sync-server"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":["Actual"],"content_html":"\u003cp\u003eActual is vulnerable to a privilege escalation attack affecting servers migrated from password authentication to OpenID Connect. This vulnerability, identified as CVE-2026-33318, allows any authenticated user, regardless of their initial role (including the BASIC role), to gain full ADMIN access. The vulnerability stems from three weaknesses: a missing authorization check on the \u003ccode\u003e/account/change-password\u003c/code\u003e endpoint, the persistence of the inactive password \u003ccode\u003eauth\u003c/code\u003e row after migration, and the acceptance of a client-supplied \u003ccode\u003eloginMethod\u003c/code\u003e which bypasses the server\u0026rsquo;s active auth configuration. This allows an attacker to overwrite the password hash for the admin account, authenticate, and gain complete control over the system. This affects multi-user servers running OpenID Connect that were previously configured with password authentication. Servers bootstrapped exclusively with OpenID are not affected. Versions prior to 26.4.0 of \u003ccode\u003e@actual-app/sync-server\u003c/code\u003e are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid session token for any user role (including BASIC) on a migrated Actual server.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to \u003ccode\u003e/account/change-password\u003c/code\u003e with a new password, using the valid session token in the \u003ccode\u003eX-Actual-Token\u003c/code\u003e header and a JSON body containing the desired password.\u003c/li\u003e\n\u003cli\u003eThe server updates the password hash in the \u003ccode\u003eauth\u003c/code\u003e table for the inactive password authentication method, due to the missing authorization check.\u003c/li\u003e\n\u003cli\u003eAttacker sends a POST request to \u003ccode\u003e/account/login\u003c/code\u003e with the \u003ccode\u003eloginMethod\u003c/code\u003e parameter set to \u0026ldquo;password\u0026rdquo; and the password set in the previous step.\u003c/li\u003e\n\u003cli\u003eThe server accepts the client-supplied \u003ccode\u003eloginMethod\u003c/code\u003e and authenticates the attacker as the anonymous admin account (username = \u0026lsquo;\u0026rsquo;), as this is the default user created during multiuser migration with ADMIN role.\u003c/li\u003e\n\u003cli\u003eThe server returns a new session token for the admin account.\u003c/li\u003e\n\u003cli\u003eAttacker uses the admin token to access administrative functions on the server.\u003c/li\u003e\n\u003cli\u003eAttacker can manage all users, access all budget files, modify file access controls, and change server configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an attacker full administrative privileges on the affected Actual server. This allows the attacker to manage all users, access all budget files regardless of ownership, modify file access controls, and change server configuration. The vulnerability affects multi-user servers running OpenID Connect that were previously configured with password authentication, meaning that a wide range of sensitive data and configurations are at risk. This can lead to significant data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to \u003ccode\u003e@actual-app/sync-server\u003c/code\u003e version 26.4.0 or later to remediate CVE-2026-33318.\u003c/li\u003e\n\u003cli\u003eImplement server-side checks to restrict access to the \u003ccode\u003e/account/change-password\u003c/code\u003e endpoint to password-authenticated sessions only, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eRequire current-password confirmation before accepting a new password via the \u003ccode\u003e/account/change-password\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnforce the \u003ccode\u003eactive\u003c/code\u003e status and remove client control over login method selection in the \u003ccode\u003egetLoginMethod()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eAs an immediate mitigation for existing deployments, administrators who have fully migrated to OpenID and do not need password auth can remove the orphaned password row using the SQL command: \u003ccode\u003eDELETE FROM auth WHERE method = 'password';\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-actual-privesc/","summary":"Any authenticated user can escalate to ADMIN on Actual servers migrated from password authentication to OpenID Connect by exploiting a lack of authorization checks, orphaned password rows, and client-controlled login methods, leading to full administrative privileges.","title":"Actual Privilege Escalation via change-password Endpoint on OpenID-Migrated Servers","url":"https://feed.craftedsignal.io/briefs/2024-01-03-actual-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Actual","version":"https://jsonfeed.org/version/1.1"}