Medium severity6.5NVD Advisory· Published Mar 9, 2026· Updated Apr 9, 2026
CVE-2026-3089
CVE-2026-3089
Description
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@actual-app/sync-servernpm | < 26.3.0 | 26.3.0 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/actualbudget/actual/pull/7067nvdIssue TrackingPatchWEB
- fluidattacks.com/advisories/fuguenvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-27vg-33gh-4hwgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3089ghsaADVISORY
- github.com/actualbudget/actual/commit/18072e1d8b5281db43ded8b21433ee177bae9dfaghsaWEB
- github.com/actualbudget/actual/security/advisories/GHSA-27vg-33gh-4hwgghsaWEB
News mentions
0No linked articles in our index yet.