QwikSec

Security Database

CVE

CWE

Training

CVE-2026-3089

Published: Mar 9, 2026

Modified: Mar 9, 2026

PUBLISHED

Description

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.

Vendor	Product	Versions
Actual	Actual Sync Server	affected `26.2.1`

Weaknesses (CWE)

References

https://fluidattacks.com/advisories/fugue

third-party-advisory

https://github.com/actualbudget/actual

product

https://github.com/actualbudget/actual/pull/7067

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.