4 matches found
CVE-2026-46700
Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...
CVE-2026-46700 Actual: Missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...
CVE-2026-46700
Summary: In @actual-app/sync-server, GET /secret/:name omits the admin check even when OpenID multi-user mode is active, allowing authenticated non-admin users to enumerate admin-configured secrets (e.g., gocardless_secretId, gocardless_secretKey, simplefin_token, simplefin_accessKey, pluggyai_cl...
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information...