Back to overview

CVE-2026-46700

MEDIUM
4.3
CVSS 3.1
Description
Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any authenticated non-admin BASIC user in OpenID multi-user deployments can probe the secrets store and learn which admin-managed bank-sync integrations have been configured, including simplefin_accessKey, pluggyai_clientSecret, pluggyai_itemIds, and the gocardless secrets. This issue is fixed in version 26.6.0.

Metadata

CVE ID
CVE-2026-46700
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-15 23:26 UTC
Published
2026-07-07 20:56 UTC
Last updated
2026-07-07 20:56 UTC
Primary CWE
CWE-285
CWE-285: Improper Authorization
Vendor / Product
actualbudget / actual
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
actualbudget actual < 26.6.0
Weakness (CWE)
CWESourceDescription
CWE-285 cna CWE-285: Improper Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References (4)
Back to overview