CVE-2026-3089
EPSS 0.02%Actual Sync Server has an Authenticated Path Traversal
發布日:2026/3/10修改日:2026/3/10
描述
# Description Actual Sync Server allows authenticated users to upload files through `POST /sync/upload-user-file`. In versions prior to 26.3.0, improper validation of the user-controlled `x-actual-file-id` header means that traversal segments (`../`) can escape the intended directory and write files outside `userFiles`. ## Mitigations The vulnerability can be mitigated in prior versions by running the sync server in a filesystem sandbox.
受影響套件(1)
- npm/@actual-app/sync-serverfrom 0, < 26.3.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-3089
- PATCHhttps://github.com/actualbudget/actual
- WEBhttps://fluidattacks.com/advisories/fugue
- WEBhttps://github.com/actualbudget/actual/commit/18072e1d8b5281db43ded8b21433ee177bae9dfa
- WEBhttps://github.com/actualbudget/actual/pull/7067
- WEBhttps://github.com/actualbudget/actual/security/advisories/GHSA-27vg-33gh-4hwg