github-starred/actual
2
0
Fork 0
mirror of https://github.com/actualbudget/actual.git synced 2026-03-21 15:36:50 -05:00
Code Issues 250 Packages Projects Releases 53 Wiki Activity
Files
6494d8ef4e1b4911115173dcc2334ebf55ef2c1c
actual/upcoming-release-notes/7207.md
Matiss Janis Aboltins 53cdc6fa48 [AI] Further hardening of "/change-password" endpoint (#7207) 
* [AI] Fix OIDC privilege escalation in /change-password endpoint

Add admin role check and password auth_method session check to prevent
non-admin or OIDC-authenticated users from changing the server password.
Previously, any authenticated user could overwrite the password hash and
then login via password method to obtain an ADMIN session.

https://claude.ai/code/session_01Wne9FY2QnKp6JF7g61B1Sn

* Add release notes for PR #7207

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-03-17 08:16:46 +00:00

142 B
Raw Blame History

category, authors
category authors
Enhancements
MatissJanis

Add admin and password authentication requirements for changing passwords in sessions.

Reference in New Issue View Git Blame Copy Permalink