CVE-2026-3089
EPSS 0.02%Actual Sync Server has an Authenticated Path Traversal
Published: 3/10/2026Modified: 3/10/2026
Description
# Description Actual Sync Server allows authenticated users to upload files through `POST /sync/upload-user-file`. In versions prior to 26.3.0, improper validation of the user-controlled `x-actual-file-id` header means that traversal segments (`../`) can escape the intended directory and write files outside `userFiles`. ## Mitigations The vulnerability can be mitigated in prior versions by running the sync server in a filesystem sandbox.
Affected packages (1)
- npm/@actual-app/sync-serverfrom 0, < 26.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3089
- PATCHhttps://github.com/actualbudget/actual
- WEBhttps://fluidattacks.com/advisories/fugue
- WEBhttps://github.com/actualbudget/actual/commit/18072e1d8b5281db43ded8b21433ee177bae9dfa
- WEBhttps://github.com/actualbudget/actual/pull/7067
- WEBhttps://github.com/actualbudget/actual/security/advisories/GHSA-27vg-33gh-4hwg