Actual Sync Server has an Authenticated Path Traversal

GHSA-27vg-33gh-4hwg · CVE-2026-3089

Published Mar 10, 2026 · Modified Mar 10, 2026

Description

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.

Mitigations

The vulnerability can be mitigated in prior versions by running the sync server in a filesystem sandbox.

References

WEB https://github.com/actualbudget/actual/security/advisories/GHSA-27vg-33gh-4hwg
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-3089
WEB https://github.com/actualbudget/actual/pull/7067
WEB https://github.com/actualbudget/actual/commit/18072e1d8b5281db43ded8b21433ee177bae9dfa
WEB https://fluidattacks.com/advisories/fugue
PACKAGE https://github.com/actualbudget/actual

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes