CVE-2026-42604

UNKNOWN 0.0

Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

11th

Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue.

CWE	CWE-863
Vendor	actualbudget
Product	actual
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for actualbudget actual

Be the first to know when new unknown vulnerabilities affecting actualbudget actual are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

actualbudget / actual

< 26.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/actualbudget/actual/security/advisories/GHSA-49v6-pqjq-xw55 actualbudget.org: https://actualbudget.org/blog/release-26.5.0