A vulnerability has been found in actualbudget actual up to 26.4.x and classified as critical . This impacts an unknown function of the file /openid/config of the component Endpoint . The manipulation leads to incorrect authorization. This vulnerability is traded as CVE-2026-42604 . It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.