Actual Budget Privilege Escalation Vulnerability via Password Change Endpoint on OpenID Migrated Servers
Vulnerability
A privilege escalation vulnerability has been identified in Actual Budget, a local-first personal finance tool, prior to version 26.4.0. This vulnerability allows any authenticated user, including those with the BASIC role, to escalate privileges to ADMIN on servers that have migrated from password authentication to OpenID Connect. The issue arises from a combination of three weaknesses: the 'POST /account/change-password' endpoint lacks proper authorization checks, enabling any session to overwrite password hashes; orphaned password authentication rows remain after migration, and the login endpoint accepts client-supplied 'loginMethod' values that can bypass the server's active authentication settings. Exploiting this vulnerability involves chaining these weaknesses to overwrite a password hash, authenticate as an admin, and gain unauthorized access to administrative privileges.
Impact
Successful exploitation allows any authenticated user to gain full ADMIN access, enabling them to manage all users, access and modify budget files regardless of ownership, alter file access controls, and change server configurations.
Reproduction
To reproduce this vulnerability, first ensure the server is migrated from password authentication to OpenID Connect. Then, using a valid OpenID session token, send a POST request to the '/account/change-password' endpoint without an authorization check, overwriting the password hash. After that, log in using the password method with the newly set password to obtain an ADMIN token, which can be used to access admin privileges.
Remediation
Users who have fully migrated to OpenID and do not need password authentication can delete the orphaned password row from the 'auth' table. For servers that require password authentication, the 'POST /account/change-password' endpoint should be restricted to password-authenticated sessions only, and current-password confirmation should be required before accepting a new password.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.