CVE-2026-3089

Actual Sync Server <26.3.0 - Path Traversal

Title source: llm

Description

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.

References (3)

[Various Sources] https://fluidattacks.com/advisories/fugue

[Various Sources] https://github.com/actualbudget/actual

[Issue Tracking] https://github.com/actualbudget/actual/pull/7067

Scores

Classification

CWE

CWE-22

Status draft

Timeline

Published Mar 09, 2026

Tracked Since Mar 09, 2026