CVE-2026-46700
Summary: In @actual-app/sync-server, GET /secret/:name omits the admin check even when OpenID multi-user mode is active, allowing authenticated non-admin users to enumerate admin-configured secrets (e.g., gocardless_secretId, gocardless_secretKey, simplefin_token, simplefin_accessKey, pluggyai_cl...