Local-First Personal Finance Tool Exposes Sensitive Configuration Data
CVE-2026-42604
6.9MEDIUM
What is CVE-2026-42604?
The sync-server of Actual Budget prior to version 26.5.0 has a significant security flaw in its POST /openid/config endpoint, which reveals the comprehensive OpenID Connect configuration—including sensitive OAuth2 client_secret—to anyone possessing the bootstrap password. This endpoint is also devoid of essential authentication and rate limiting measures, rendering the bootstrap password susceptible to brute-force attacks. The vulnerability is mitigated in version 26.5.0, which is recommended for all users.
Affected Version(s)
actual < 26.5.0
