GHSA-3f62-qv96-4p78: @actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets
mediumvulnerability
security
Summary
A bug in @actual-app/sync-server allows non-admin users to discover which admin-configured bank-sync secrets (credentials for integrations like bank connections) have been set up. The GET endpoint that retrieves secrets only checks that a user is logged in, while the POST endpoint that creates secrets properly requires admin access, creating a security gap where authenticated regular users can probe and learn which integrations exist without seeing the actual credential values.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
June 22, 2026
Classification
Attack SophisticationTrivial
Affected Packages
@actual-app/sync-server@< 26.6.0 (fixed: 26.6.0)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-3f62-qv96-4p78
First tracked: June 22, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%