Lucene search
K

4 matches found

NVD
NVD
added 4 days ago5 views

CVE-2026-46700

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS0.00342EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 4 days ago4 views

CVE-2026-46700

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS6AI score0.00342EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/22 9:42 p.m.7 views

@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets

Summary In @actual-app/sync-server, the GET /secret/:name endpoint app-secrets.js:53 checks only that the caller has a valid session — it does not verify the caller is an admin. The sibling POST /secret/ handler does enforce an admin check in OpenID mode, exposing an authorization asymmetry. Any...

4.3CVSS5.8AI score0.00342EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2025/10/24 3:27 p.m.2 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the /api/v1/secret, and /api/v1/service endpoints. An attacker can retrieve sensitive cluster information by sending unauthenticated requests directly to exposed API paths. Workaround Thi...

8.7CVSS6.8AI score0.00607EPSS
Exploits0References3
Rows per page
Query Builder