CVE-2026-3089
Directory Traversal in Actual Sync Server Allows Arbitrary File Write
Publication date: 2026-03-09
Last updated on: 2026-04-09
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| actualbudget | actual | to 26.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3089 is an authenticated path traversal vulnerability in Actual Sync Server versions prior to 26.3.0. It occurs in the POST /sync/upload-user-file endpoint where the server uses a user-controlled header, x-actual-file-id, to construct file paths without proper validation. This allows an authenticated attacker to include traversal sequences like ../ to escape the intended userFiles directory and write files elsewhere on the server's filesystem."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the server does not enforce strict allowlist validation or canonical boundary checks on the file ID, enabling attackers to create files outside the designated directory. Attempts to read sensitive files fail due to the server appending a fixed extension, but arbitrary file creation outside the intended directory is possible.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to write arbitrary files outside the intended user files directory on the server. This can lead to unauthorized file creation in sensitive locations, potentially enabling further attacks such as overwriting important files, planting malicious files, or disrupting server operations.
Although reading sensitive files directly is mitigated by the server appending a fixed file extension, the ability to write files arbitrarily still poses a significant security risk, including possible privilege escalation or denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and inspecting authenticated POST requests to the /sync/upload-user-file endpoint, specifically looking for the presence of the x-actual-file-id header containing path traversal sequences such as ../.'}, {'type': 'paragraph', 'content': 'Commands to detect potential exploitation attempts could include capturing HTTP traffic or logs and searching for suspicious header values. For example, using curl to test the endpoint with a traversal payload:'}, {'type': 'list_item', 'content': 'curl -X POST -H "x-actual-file-id: ../../../tmp/malicious" -F "file=@testfile" https://your-actual-sync-server/sync/upload-user-file -u user:password'}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools or intrusion detection systems can be configured to alert on POST requests to /sync/upload-user-file with x-actual-file-id headers containing ../ sequences.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Actual Sync Server to version 26.3.0 or later, where the vulnerability has been fixed by enforcing strict validation of the x-actual-file-id header to prevent path traversal.
If upgrading immediately is not possible, consider implementing network-level controls to restrict access to the /sync/upload-user-file endpoint to trusted authenticated users only, and monitor for suspicious file upload attempts with traversal sequences.
Review and apply the patch from the official repository that introduces validation for file IDs, which rejects invalid inputs with HTTP 400 responses.