@actual-app/sync-server
js · @actual-app/sync-serverHeads-up
@actual-app/sync-server: GET /secret/:name missing admin check
The GET /secret/:name endpoint does not verify the caller is an admin, allowing any authenticated non-admin user in OpenID multi-u
23 Jun 2026 · schedule it
js · @actual-app/sync-serverCritical
@actual-app/sync-server: Disabled users retain valid session tokens in OpenID multi-user mode
In OpenID multi-user mode, disabling a user does not invalidate existing session tokens, allowing continued authenticated access.
23 Jun 2026 · act now