CVE-2026-42890 actualbudget CVE debrief

Who should care

Users of the Actual macOS desktop application, particularly those using version 25.x, should be aware of this vulnerability. Additionally, security teams and administrators responsible for managing software updates and security patches for personal finance applications should prioritize updating to version 26.5.0 or later.

Technical summary

The vulnerability in the Actual macOS desktop application (CVE-2026-42890) is due to the ELECTRON_RUN_AS_NODE fuse not being disabled. This allows an attacker to execute arbitrary code by invoking the signed application with the ELECTRON_RUN_AS_NODE=1 environment variable, effectively turning the application into a Node.js REPL. This bypasses macOS Gatekeeper, as the executed code inherits the application's entitlements and code signature.

Defensive priority

MEDIUM

Recommended defensive actions

• Update the Actual macOS desktop application to version 26.5.0 or later.
• Ensure that the ELECTRON_RUN_AS_NODE fuse is disabled in the application configuration.

Evidence notes

The vulnerability was patched in version 26.5.0 of the Actual macOS desktop application. Users can refer to the official release notes at [ref-4] for more details. The advisory can also be found at [ref-5].

Official resources