Path Traversal in Actual Sync Server

CVE-2026-3089

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can esca…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (4.9th percentile) — read the EPSS interpretation.

Affected products

Actual Sync Server — versions 26.2.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

fluidattacks.com/advisories/fugue (third-party-advisory)
github.com/actualbudget/actual (product)
github.com/actualbudget/actual/pull/7067 (patch)