Local-First Personal Finance Tool Exposes Sensitive Information to Non-Admin Users
CVE-2026-46700

4.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-46700?

The Actual Finance Tool is affected by a vulnerability in the GET /secret/:name endpoint, which does not adequately validate the caller's access rights. Before version 26.6.0, any authenticated non-admin user in OpenID multi-user setups could exploit this oversight to access sensitive information regarding admin-managed bank-sync integrations. This included secrets like simplefin_accessKey and pluggyai_clientSecret. The associated POST /secret/ handler satisfies admin checks, but not the GET endpoint, making it a serious concern for user confidentiality. The issue has been resolved in version 26.6.0.

Affected Version(s)

actual < 26.6.0

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.