{"id":"CVE-2026-42890","summary":"actual Allows Electron to Run As Node","details":"Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue.","aliases":["GHSA-7rvm-xjpp-63r9"],"modified":"2026-07-08T08:05:13.201001880Z","published":"2026-06-12T18:58:42.239Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42890.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42890.json"},{"type":"ADVISORY","url":"https://github.com/actualbudget/actual/security/advisories/GHSA-7rvm-xjpp-63r9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42890"},{"type":"ARTICLE","url":"https://actualbudget.org/blog/release-26.5.0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/actualbudget/actual","events":[{"introduced":"0"},{"fixed":"4c62e2a75d48deb06d45e7ed89a2b9ddfd187e3d"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"26.5.0"}],"source":"AFFECTED_FIELD"}}],"versions":["v26.4.0","v26.3.0","v26.2.0","v26.1.0","v25.12.0","v25.11.0","v25.10.0","v25.9.0","v25.8.0","v25.7.1","v25.7.0","v25.6.1","v25.6.0","v25.5.0","v25.4.0","v25.3.0","v25.2.0","v25.1.0","v24.12.0","v24.11.0","v24.10.0","v24.9.0","v24.8.0","v24.7.0","v24.6.0","v24.5.0","v24.4.0","v24.3.0","v24.2.0","v24.1.0","v23.12.0","v23.11.0","v23.10.0","v23.9.0","v23.8.1","v23.8.0","v23.7.2","v23.7.1","v23.7.0","v23.6.0","v23.5.0","v23.4.2","v23.4.1","v23.4.0","v23.3.2","v23.3.0","v23.2.9","v23.2.5","v23.1.12","v22.12.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42890.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}