Loading market data...
← Back to CVE feed

CVE-2026-42604

UNKNOWN View on NVD ↗

Description

Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue.

Published: Jun 12, 2026 20:16 UTC Modified: Jun 12, 2026 20:16 UTC