CVE-2026-39901

Name of the Vulnerable Software and Affected Versions monetr versions prior to 1.12.3

Description A transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views. The issue affects the transaction update path for synced transactions associated with non-manual links. The vulnerability is a server-side authorization and integrity flaw caused by trusting a client-supplied full transaction object and failing to protect sensitive server-managed fields from modification. The affected API endpoint is the transaction update endpoint. The vulnerable parameter is deletedAt.

Recommendations Versions prior to 1.12.3 should be updated to version 1.12.3 or later.