Impact
A missing authorization check on the GET /secret/:name endpoint of Actual’s sync server allows authenticated non‑admin BASIC users in OpenID multi‑user setups to enumerate secret entries. While the POST /secret/ handler enforces an admin check, the GET path only verifies a valid session, letting users discover which admin‑managed bank‑sync integrations have been configured. Exposed credentials include simplefin_accessKey, pluggyai_clientSecret, pluggyai_itemIds, and gocardless secrets, potentially giving attackers access to bank‑account information and privacy data. This weakness is cataloged as CWE‑285, an authorization bypass flaw.
Affected Systems
The affected component is Actual Budget’s sync server component (@actual‑app/sync‑server). All releases prior to version 26.6.0 are vulnerable, affecting both single‑user and multi‑user OpenID deployments that use BASIC authentication. The vulnerability is fixed in release v26.6.0.
Risk and Exploitability
The CVSS score of 4.3 indicates moderate risk. The EPSS score is not available, so the exact likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs a valid authenticated session within the sync server; enumeration can be performed by repeatedly sending GET requests with different secret names. Once patched, the risk is eliminated, but unpatched installations remain vulnerable to disclosure of sensitive credential information.
OpenCVE Enrichment
Github GHSA