GHSA-7RVM-XJPP-63R9
Vulnerability from github – Published: 2026-06-08 18:21 – Updated: 2026-06-12 21:59Summary
A electron run as node vulnerability was identified in actual (macOS application, version 25.x (Electron 39.2.7)).
Vulnerability Type: Electron Run As Node
Description
ELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) — app can be converted to Node.js REPL for arbitrary code execution
Impact
An attacker who can place a file on disk or control command-line arguments can invoke the signed Actual.app binary with ELECTRON_RUN_AS_NODE=1 to execute arbitrary Node.js code inheriting the apps entitlements and code signature. This bypasses macOS Gatekeeper review of the payload: the Node.js script runs as Actual, under Actuals bundle ID and signed identity, and has access to any entitlements the app carries (network, file access, keychain, automation). Combined with any downloader (browser, mail attachment, Slack link) this becomes a signed-binary-abuse primitive on every Mac with Actual installed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "actual"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42890"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-693",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-08T18:21:26Z",
"nvd_published_at": "2026-06-12T20:16:45Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA electron run as node vulnerability was identified in `actual` (macOS application, version `25.x (Electron 39.2.7)`).\n\n**Vulnerability Type:** Electron Run As Node\n\n## Description\n\nELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) \u2014 app can be converted to Node.js REPL for arbitrary code execution\n\n## Impact\n\nAn attacker who can place a file on disk or control command-line arguments can invoke the signed Actual.app binary with ELECTRON_RUN_AS_NODE=1 to execute arbitrary Node.js code inheriting the apps entitlements and code signature. This bypasses macOS Gatekeeper review of the payload: the Node.js script runs as Actual, under Actuals bundle ID and signed identity, and has access to any entitlements the app carries (network, file access, keychain, automation). Combined with any downloader (browser, mail attachment, Slack link) this becomes a signed-binary-abuse primitive on every Mac with Actual installed.",
"id": "GHSA-7rvm-xjpp-63r9",
"modified": "2026-06-12T21:59:55Z",
"published": "2026-06-08T18:21:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/security/advisories/GHSA-7rvm-xjpp-63r9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42890"
},
{
"type": "WEB",
"url": "https://actualbudget.org/blog/release-26.5.0"
},
{
"type": "PACKAGE",
"url": "https://github.com/actualbudget/actual"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "actual Allows Electron to Run As Node"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.