js · @actual-app/sync-serverHeads-up

@actual-app/sync-server: GET /secret/:name missing admin check

The GET /secret/:name endpoint does not verify the caller is an admin, allowing any authenticated non-admin user in OpenID multi-user deployments to probe the s

23 Jun 2026Read 1 minSeverity: schedule it

What changed

The GET /secret/:name endpoint does not verify the caller is an admin, allowing any authenticated non-admin user in OpenID multi-user deployments to probe the secrets store and determine which admin-managed bank-sync integrations are configured (existence only).

Who it affects

All deployments using OpenID multi-user mode with BASIC users; any authenticated non-admin user can enumerate secret names like gocardless_secretId, simplefin_accessKey, pluggyai_clientSecret, etc.

What to do today

Apply the recommended fix to add an admin check on the GET /secret/:name endpoint, mirroring the POST handler's authorization logic.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · @actual-app/sync-server

@actual-app/sync-server: GET /secret/:name missing admin check

What changed

Who it affects

What to do today

More on @actual-app/sync-server

@actual-app/cli CSV serializer vulnerable to formula injection

devbridge-autocomplete: XSS via unescaped formatGroup and formatResult