Description
Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the POST /openid/config endpoint of Actual Budget’s sync‑server exposes the entire OpenID Connect configuration, including the OAuth2 client_secret, to any caller who knows the bootstrap password. The endpoint has no authentication guard and lacks rate limiting, which renders the bootstrap password brute‑forceable. This results in a confidentiality breach that can expose credentials used for synchronizing personal finance data.

Affected Systems

Actual Budget sync‑server versions 26.4.0 and earlier are affected. The problem is fixed in version 26.5.0. No other vendors or products are impacted by this specific flaw.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% shows that exploitation is currently unlikely, and the vulnerability is not in the CISA KEV catalog. Based on the description, the likely attack vector is a local attacker or an adversary who can reach the sync‑server over the network and brute‑force the bootstrap password to retrieve the exposed client_secret. The absence of rate limiting makes such brute‑force attacks feasible if the sync‑server is exposed to untrusted networks.

Generated by OpenCVE AI on June 12, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Actual Budget sync‑server version 26.5.0 or later, which removes the broken authorization guard on POST /openid/config (CWE‑863).
  • Reconfigure the sync‑server to require full authentication for the POST /openid/config endpoint and implement strict rate limiting; this mitigates the broken authorization flaw (CWE‑863) even if a patch is delayed.
  • Replace the bootstrap password with a strong, randomly generated value to make brute‑force attempts infeasible.

Generated by OpenCVE AI on June 12, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Actualbudget
Actualbudget actual
Vendors & Products Actualbudget
Actualbudget actual

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue.
Title Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Actualbudget Actual
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T18:42:38.346Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42604

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T20:16:45.140

Modified: 2026-06-12T20:16:45.140

Link: CVE-2026-42604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T21:30:07Z

Weaknesses