CVE Catalog

CVE-2026-42604

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile - higher than 32% of all known CVEs

Summary

Versions of Actual Budget's sync-server up to 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 `client_secret`, to any caller who knows the bootstrap password. The endpoint lacks authentication and rate limiting, making it susceptible to brute-force attacks.

Risk Assessment

The exposure of the `client_secret` could lead to unauthorized access to resources and potential abuse within the system. Organizations should be aware of the risks associated with the security of users' financial data.

Recommendation

It is recommended to upgrade to version 26.5.0, which addresses this vulnerability. Additionally, implementing stronger authentication mechanisms and rate limiting is advisable.

Original NVD description (English source)

Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS