HomeCVE Intelligence › CVE-2026-49229
CVSS 8.3 HIGH Vulnerability

CVE-2026-49229: @actual-app/sync-server: Disabled OpenID users keep access through existing session tokens

Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated se…

8.3CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-49229
Vendornpm
Affected Product@actual-app/sync-server
Vulnerability TypeVulnerability
CVSS Score8.3 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account.

Details The disabled-user check is present during OpenID login finalization. Existing users are only accepted when the matching row has enabled = 1, and a disabled row causes the OpenID grant to fail before a new session token is created. ```ts

// packages/sync-server/src/accounts/openid.ts:284-291 const { id: userIdFromDb, display_name: displayName } = accountDb.first( 'SELECT id, display_name FROM users WHERE user_name = ? and enabled = 1', [identity], ) || {}; if (userIdFromDb == null) { throw new E

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-49229 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence