Description
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
References (3)
Core 3
Core References
Various Sources third-party-advisory
https://fluidattacks.com/advisories/fugue
Various Sources product
https://github.com/actualbudget/actual
Issue Tracking patch
https://github.com/actualbudget/actual/pull/7067
Scores
CVSS v3
6.5
EPSS
0.0002
EPSS Percentile
5.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (3)
Actual/Actual Sync Server
26.2.1
actual-app/sync-server
0 - 26.3.0npm
actualbudget/actual
< 26.3.0
Published
Mar 09, 2026
Tracked Since
Mar 09, 2026