CVE-2026-3089 — Actual Sync Server has an Authenticated Path Traversal

Description

# Description Actual Sync Server allows authenticated users to upload files through `POST /sync/upload-user-file`. In versions prior to 26.3.0, improper validation of the user-controlled `x-actual-file-id` header means that traversal segments (`../`) can escape the intended directory and write files outside `userFiles`. ## Mitigations The vulnerability can be mitigated in prior versions by running the sync server in a filesystem sandbox.

How to fix CVE-2026-3089

To remediate CVE-2026-3089, upgrade the affected package to a fixed version below.

—upgrade to 26.3.0 or later

Is CVE-2026-3089 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 26.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-3089
PATCHgithub.com/actualbudget/actual
WEBfluidattacks.com/advisories/fugue
WEBgithub.com/actualbudget/actual/commit/18072e1d8b5281db43ded8b21433ee177bae9dfa
WEB