IA Squad
SearchPT
js · @actual-app/sync-serverCritical

@actual-app/sync-server: Disabled users retain valid session tokens in OpenID multi-user mode

In OpenID multi-user mode, disabling a user does not invalidate existing session tokens, allowing continued authenticated access.

23 Jun 2026Read 1 minSeverity: act now

What changed

In OpenID multi-user mode, disabling a user does not invalidate existing session tokens, allowing continued authenticated access.

Who it affects

All deployments of @actual-app/sync-server using OpenID multi-user mode, especially those with default token expiration ('never').

What to do today

Apply the fix that checks user enabled status during session validation and revokes sessions on user disable.

The trail
Collected Audited Written Published
Source
GitHub Advisory · @actual-app/sync-server

More on @actual-app/sync-server

js · @actual-app/cli

@actual-app/cli CSV serializer vulnerable to formula injection

js · @actual-app/sync-server

@actual-app/sync-server: GET /secret/:name missing admin check