CVE-2026-42604

Vulnerability

The POST /openid/config endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration, including the OAuth2 client_secret, to any caller who knows the bootstrap password. The endpoint lacks authentication and rate limiting, making the bootstrap password brute-forceable. [1][2]

Exploitation

An attacker with network access to the sync-server can repeatedly attempt to guess the bootstrap password via the unauthenticated POST /openid/config endpoint. Because there is no rate limiting, brute-force attacks are feasible. Once the correct bootstrap password is obtained, the attacker can retrieve the full OpenID configuration, including the client_secret. [2]

Impact

Successful exploitation discloses the OAuth2 client_secret. With this credential, an attacker can impersonate the Actual Budget application to the OpenID provider, potentially performing token exchange attacks or accessing user identity information. Combined with the leaked client_id, issuer URL, and endpoint configuration, the attacker has all credentials needed to interact with the identity provider as the application. [2]

Mitigation

The issue is fixed in version 26.5.0 of the sync-server. Users should upgrade to 26.5.0 or later. The fix includes adding authentication and rate limiting to the endpoint. [1][2] No workaround is mentioned; upgrading is the recommended action.