Local-First Personal Finance Tool Exposes Sensitive Configuration Data
CVE-2026-42604

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-42604?

The sync-server of Actual Budget prior to version 26.5.0 has a significant security flaw in its POST /openid/config endpoint, which reveals the comprehensive OpenID Connect configuration—including sensitive OAuth2 client_secret—to anyone possessing the bootstrap password. This endpoint is also devoid of essential authentication and rate limiting measures, rendering the bootstrap password susceptible to brute-force attacks. The vulnerability is mitigated in version 26.5.0, which is recommended for all users.

Affected Version(s)

actual < 26.5.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.