CVE-2026-49229 - Actual: Disabled OpenID users keep access through existing session tokens
CVE ID :CVE-2026-49229 Published : July 7, 2026, 10:16 p.m. | 58 minutes ago Description :Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the...