CVE-2026-3089

UNKNOWN 0.0

Actual Sync Server 26.2.1 - Authenticated Path Traversal

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.

CWE	CWE-22
Vendor	actual
Product	actual sync server
Published	Mar 9, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for actual actual sync server

Be the first to know when new unknown vulnerabilities affecting actual actual sync server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Actual / Actual Sync Server

26.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

fluidattacks.com: https://fluidattacks.com/advisories/fugue github.com: https://github.com/actualbudget/actual github.com: https://github.com/actualbudget/actual/pull/7067

Credits

Juan Patarroyo