Description
Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any authenticated non-admin BASIC user in OpenID multi-user deployments can probe the secrets store and learn which admin-managed bank-sync integrations have been configured, including simplefin_accessKey, pluggyai_clientSecret, pluggyai_itemIds, and the gocardless secrets. This issue is fixed in version 26.6.0.
Published: 2026-07-07
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check on the GET /secret/:name endpoint of Actual’s sync server allows authenticated non‑admin BASIC users in OpenID multi‑user setups to enumerate secret entries. While the POST /secret/ handler enforces an admin check, the GET path only verifies a valid session, letting users discover which admin‑managed bank‑sync integrations have been configured. Exposed credentials include simplefin_accessKey, pluggyai_clientSecret, pluggyai_itemIds, and gocardless secrets, potentially giving attackers access to bank‑account information and privacy data. This weakness is cataloged as CWE‑285, an authorization bypass flaw.

Affected Systems

The affected component is Actual Budget’s sync server component (@actual‑app/sync‑server). All releases prior to version 26.6.0 are vulnerable, affecting both single‑user and multi‑user OpenID deployments that use BASIC authentication. The vulnerability is fixed in release v26.6.0.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk. The EPSS score is not available, so the exact likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs a valid authenticated session within the sync server; enumeration can be performed by repeatedly sending GET requests with different secret names. Once patched, the risk is eliminated, but unpatched installations remain vulnerable to disclosure of sensitive credential information.

Generated by OpenCVE AI on July 8, 2026 at 04:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Actual to version 26.6.0 or later to apply the authorization fix for the GET /secret/:name endpoint.
  • Verify that the sync server is correctly configured to enforce admin checks for all secret access routes and that non‑admin OpenID users cannot invoke GET /secret/.
  • Ensure that non‑admin users in the organization have the appropriate role assignments and that no accidental admin privileges are granted in the OpenID configuration.

Generated by OpenCVE AI on July 8, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3f62-qv96-4p78 @actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
History

Tue, 07 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Actualbudget
Actualbudget actual
Vendors & Products Actualbudget
Actualbudget actual

Tue, 07 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
Description Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any authenticated non-admin BASIC user in OpenID multi-user deployments can probe the secrets store and learn which admin-managed bank-sync integrations have been configured, including simplefin_accessKey, pluggyai_clientSecret, pluggyai_itemIds, and the gocardless secrets. This issue is fixed in version 26.6.0.
Title Actual: Missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Actualbudget Actual
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-07T20:56:39.203Z

Reserved: 2026-05-15T23:26:58.308Z

Link: CVE-2026-46700

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T04:15:04Z

Weaknesses