Lucene search
K

4 matches found

NVD
NVD
added 6 days ago5 views

CVE-2026-46700

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS0.00342EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago34 views

CVE-2026-46700 Actual: Missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS0.00342EPSS
Exploits0References4
CVE
CVE
added 6 days ago24 views

CVE-2026-46700

Summary: In @actual-app/sync-server, GET /secret/:name omits the admin check even when OpenID multi-user mode is active, allowing authenticated non-admin users to enumerate admin-configured secrets (e.g., gocardless_secretId, gocardless_secretKey, simplefin_token, simplefin_accessKey, pluggyai_cl...

4.3CVSS6AI score0.00342EPSS
Exploits0References4
GitLab Advisory Database
GitLab Advisory Database
added 2026/02/24 12:0 a.m.18 views

ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information...

9.2CVSS5.4AI score0.00395EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder