{"id":"CVE-2026-42604","summary":"Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`","details":"Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions \u003c= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue.","aliases":["GHSA-49v6-pqjq-xw55"],"modified":"2026-07-15T01:49:13.280052394Z","published":"2026-06-12T18:42:38.346Z","database_specific":{"cwe_ids":["CWE-863"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42604.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42604.json"},{"type":"ADVISORY","url":"https://github.com/actualbudget/actual/security/advisories/GHSA-49v6-pqjq-xw55"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42604"},{"type":"ARTICLE","url":"https://actualbudget.org/blog/release-26.5.0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/actualbudget/actual","events":[{"introduced":"0"},{"fixed":"4c62e2a75d48deb06d45e7ed89a2b9ddfd187e3d"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"26.5.0"}],"source":"AFFECTED_FIELD"}}],"versions":["v26.4.0","v26.3.0","v26.2.0","v26.1.0","v25.12.0","v25.11.0","v25.10.0","v25.9.0","v25.8.0","v25.7.1","v25.7.0","v25.6.1","v25.6.0","v25.5.0","v25.4.0","v25.3.0","v25.2.0","v25.1.0","v24.12.0","v24.11.0","v24.10.0","v24.9.0","v24.8.0","v24.7.0","v24.6.0","v24.5.0","v24.4.0","v24.3.0","v24.2.0","v24.1.0","v23.12.0","v23.11.0","v23.10.0","v23.9.0","v23.8.1","v23.8.0","v23.7.2","v23.7.1","v23.7.0","v23.6.0","v23.5.0","v23.4.2","v23.4.1","v23.4.0","v23.3.2","v23.3.0","v23.2.9","v23.2.5","v23.1.12","v22.12.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42604.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"}]}