CVE-2026-49229: @actual-app/sync-server: Disabled OpenID users keep access through existing session tokens

June 22, 2026

In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account.

References

github.com/actualbudget/actual/security/advisories/GHSA-cq9c-6w48-qmfg
github.com/advisories/GHSA-cq9c-6w48-qmfg
nvd.nist.gov/vuln/detail/CVE-2026-49229

Code Behaviors & Features

Detect and mitigate CVE-2026-49229 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →