PatchSiren cyber security CVE debrief
CVE-2026-42604 actualbudget CVE debrief
A vulnerability was discovered in Actual Budget's sync-server versions <= 26.4.0. The `POST /openid/config` endpoint exposes the full OpenID Connect configuration, including the OAuth2 `client_secret`, to any caller who knows the bootstrap password. The endpoint lacks authentication and rate limiting, making the bootstrap password brute-forceable. This issue was fixed in version 26.5.0.
- Vendor
- actualbudget
- Product
- actual
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Actual Budget's sync-server versions <= 26.4.0 should be aware of this vulnerability and take action to protect their systems.
Technical summary
The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes sensitive information, including the OAuth2 `client_secret`. This endpoint lacks authentication and rate limiting, making it vulnerable to brute-force attacks.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to version 26.5.0 or later
- Review and secure the bootstrap password
- Monitor for suspicious activity on the sync-server
Evidence notes
The CVE-2026-42604 record was obtained from the official CVE.org database.
Official resources
CVE-2026-42604 was published on 2026-06-12T20:16:45.140Z.