CVE-2026-42604

CVE-2026-42604

Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows…

Vulnerability class: Broken Access Control

Weakness classification (CWE)

References