CVE-2026-39901

CVE-2026-39901 is a medium-severity security vulnerability in github.com/monetr/monetr (go), affecting versions <= 1.12.2. It is fixed in 1.12.3.

Summary

A transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal DELETE path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views.

Details

The issue affects the transaction update path for synced transactions associated with non-manual links. The intended policy is clearly enforced in the DELETE handler: deletion of synced transactions for non-manual links is rejected with an error indicating that such transactions cannot be deleted.

However, the PUT update path still accepts a client-controlled full Transaction object and persists fields that should be server-managed, including deletedAt. The update logic appears to restrict only selected fields, which leaves deletedAt attacker-controllable.

Verified behavior on the same synced transaction showed:

  • DELETE was denied with the expected protection error for non-manual links
  • PUT with a user-supplied deletedAt value succeeded and returned 200 OK
  • a subsequent transaction list no longer showed the transaction
  • GET by transaction ID still returned the record with deletedAt populated

This demonstrates a policy bypass: although the server explicitly defines synced transactions on non-manual links as non-deletable through the dedicated delete route, the same outcome can still be achieved through the update route by setting the soft-delete field directly.

The vulnerability is therefore not a simple UI inconsistency. It is a server-side authorization and integrity flaw caused by trusting a client-supplied full transaction object and failing to protect sensitive server-managed fields from modification.

PoC

The issue can be reproduced by identifying a synced transaction on a non-manual link, confirming that the normal DELETE route rejects deletion, then submitting an update request that sets the transaction’s deletedAt field. The transaction will then disappear from normal listing views even though direct retrieval still shows the record as soft-deleted.

Impact

  • Type: Authorization bypass / integrity violation
  • Who is impacted: Authenticated tenant users and any deployment relying on synced transaction immutability for non-manual links
  • Security impact: Attackers can hide or effectively delete protected imported transactions that should not be deletable, compromising transaction history, bookkeeping integrity, and trust in audit-relevant server-managed fields
  • Attack preconditions: The attacker must be authenticated and able to access a synced transaction within their own tenant/account scope

CVE-2026-39901 has a CVSS score of 5.7 (Medium). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.12.3); upgrading removes the vulnerable code path.

Affected versions

github.com/monetr/monetr (<= 1.12.2)

Security releases

github.com/monetr/monetr → 1.12.3 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/monetr/monetr to 1.12.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-39901? CVE-2026-39901 is a medium-severity security vulnerability in github.com/monetr/monetr (go), affecting versions <= 1.12.2. It is fixed in 1.12.3.
  2. How severe is CVE-2026-39901? CVE-2026-39901 has a CVSS score of 5.7 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/monetr/monetr are affected by CVE-2026-39901? github.com/monetr/monetr (go) versions <= 1.12.2 is affected.
  4. Is there a fix for CVE-2026-39901? Yes. CVE-2026-39901 is fixed in 1.12.3. Upgrade to this version or later.
  5. Is CVE-2026-39901 exploitable, and should I be worried? Whether CVE-2026-39901 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-39901 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-39901? Upgrade github.com/monetr/monetr to 1.12.3 or later.

Other vulnerabilities in github.com/monetr/monetr

CVE-2026-41644CVE-2026-39901

Stop the waste.
Protect your environment with Kodem.