Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Actual Sync Server allows unauthorized file uploads in older versions
GHSA-27vg-33gh-4hwg
CVE-2026-3089
GHSA-27vg-33gh-4hwg
Summary
Authenticated users can upload files to unintended locations in older versions of Actual Sync Server. This is a security risk because it allows attackers to upload malicious files outside of a specific directory. Update to version 26.3.0 or later to fix this issue.
What to do
- Update actual-app sync-server to version 26.3.0.
- Update actual-app @actual-app/sync-server to version 26.3.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| actual-app | sync-server | <= 26.2.0 | 26.3.0 |
| actual-app | @actual-app/sync-server | <= 26.3.0 | 26.3.0 |
Original title
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header me...
Original description
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
ghsa CVSS4.0
5.3
Vulnerability type
CWE-22
Path Traversal
- https://github.com/actualbudget/actual/security/advisories/GHSA-27vg-33gh-4hwg
- https://nvd.nist.gov/vuln/detail/CVE-2026-3089
- https://github.com/actualbudget/actual/pull/7067
- https://github.com/actualbudget/actual/commit/18072e1d8b5281db43ded8b21433ee177b...
- https://fluidattacks.com/advisories/fugue
- https://github.com/actualbudget/actual
- https://github.com/advisories/GHSA-27vg-33gh-4hwg
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026