Local-First Personal Finance Tool Exposes Sensitive Information to Non-Admin Users
CVE-2026-46700
4.3MEDIUM
What is CVE-2026-46700?
The Actual Finance Tool is affected by a vulnerability in the GET /secret/:name endpoint, which does not adequately validate the caller's access rights. Before version 26.6.0, any authenticated non-admin user in OpenID multi-user setups could exploit this oversight to access sensitive information regarding admin-managed bank-sync integrations. This included secrets like simplefin_accessKey and pluggyai_clientSecret. The associated POST /secret/ handler satisfies admin checks, but not the GET endpoint, making it a serious concern for user confidentiality. The issue has been resolved in version 26.6.0.
Affected Version(s)
actual < 26.6.0
