PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46700 actualbudget CVE debrief

CVE-2026-46700 is an authentication bypass vulnerability in Actual local-first personal finance tool prior to version 26.6.0. The vulnerability allows an authenticated non-admin BASIC user in OpenID multi-user deployments to probe the secrets store and learn which admin-managed bank-sync integrations have been configured. This issue arises from the GET /secret/:name endpoint in @actual-app/sync-server not verifying if the caller is an admin, unlike the POST /secret/ handler which enforces an admin check in OpenID mode. The vulnerability has been fixed in version 26.6.0, and users should upgrade to this version or later to mitigate the issue.

Vendor
actualbudget
Product
actual
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Actual local-first personal finance tool, especially those using OpenID multi-user deployments, should be aware of this vulnerability and take steps to protect themselves. This includes reviewing their deployment, ensuring that only authorized users have access to the secrets store, and monitoring for suspicious activity. Additionally, operators, platform administrators, and security teams should review the vulnerability and take necessary actions to mitigate the issue.

Technical summary

The vulnerability exists in the GET /secret/:name endpoint of @actual-app/sync-server, which does not verify if the caller is an admin. This allows an authenticated non-admin BASIC user to probe the secrets store and learn which admin-managed bank-sync integrations have been configured, including simplefin_accessKey, pluggyai_clientSecret, pluggyai_itemIds, and the gocardless secrets. The issue is fixed in version 26.6.0, and users should review their deployment to ensure that only authorized users have access to the secrets store.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to version 26.6.0 or later
  • Review and restrict access to the GET /secret/:name endpoint
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability was fixed in version 26.6.0. Users should review their deployment and ensure that only authorized users have access to the secrets store. This involves verifying that the GET /secret/:name endpoint is properly secured and that only admin users can access sensitive information. Additionally, users should monitor for suspicious activity and review their bank-sync integrations to prevent potential exploitation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:25.560Z and has not been modified since then.