| Summary | Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 `client_secret`—to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue. |
|---|---|
| Publication Date | June 13, 2026, 5:16 a.m. |
| Registration Date | June 14, 2026, 4:11 a.m. |
| Last Update | June 13, 2026, 5:16 a.m. |