CVE-2026-42604
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk32th percentile - higher than 32% of all known CVEs
Summary
Versions of Actual Budget's sync-server up to 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 `client_secret`, to any caller who knows the bootstrap password. The endpoint lacks authentication and rate limiting, making it susceptible to brute-force attacks.
Risk Assessment
The exposure of the `client_secret` could lead to unauthorized access to resources and potential abuse within the system. Organizations should be aware of the risks associated with the security of users' financial data.
Recommendation
It is recommended to upgrade to version 26.5.0, which addresses this vulnerability. Additionally, implementing stronger authentication mechanisms and rate limiting is advisable.
Original NVD description (English source)
Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue.

