216.73.216.133

CVE-2026-42604

· Published 12/06/2026 22:16 · Modified 12/06/2026 20:16 · Author: The MITRE Corporation

Labels: CVE-2026-42604 2026-06-12CVE-2026-42604CWE-863[email protected]

Essential information

Published
12/06/2026 22:16
Modified
12/06/2026 20:16
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
6.9 MEDIUM (v3) 9.1 CRITICAL (v4.0)
CISA KEV
No
CWE
CWE-863
EPSS (First)
P10.9% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00035)
CVSS vector

CVSS metrics

Description

Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
actual / budget cpe:2.3:a:actual:budget:<26.4.0:*:*:*:*:*:*:*
actual / budget cpe:2.3:a:actual:budget:26.5.0:*:*:*:*:*:*:*

References