{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3089", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2026-02-24T00:49:14.624Z", "datePublished": "2026-03-09T14:08:55.998Z", "dateUpdated": "2026-03-09T14:54:24.136Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "@actual-app/sync-server", "platforms": ["Windows", "MacOS", "Linux"], "product": "Actual Sync Server", "vendor": "Actual", "versions": [{"status": "affected", "version": "26.2.1"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:actual:actual_sync_server:26.2.1:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:actual:actual_sync_server:26.2.1:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:actual:actual_sync_server:26.2.1:*:linux:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Juan Patarroyo"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.</span><p>This issue affects prior versions of Actual Sync Server 26.3.0.</p>"}], "value": "Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-03-09T14:08:55.998Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/fugue"}, {"tags": ["product"], "url": "https://github.com/actualbudget/actual"}, {"tags": ["patch"], "url": "https://github.com/actualbudget/actual/pull/7067"}], "source": {"discovery": "UNKNOWN"}, "title": "Actual Sync Server 26.2.1 - Authenticated Path Traversal", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://fluidattacks.com/advisories/fugue", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:54:20.508514Z", "id": "CVE-2026-3089", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:54:24.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3089", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T14:54:20.508514Z"}}}], "references": [{"url": "https://fluidattacks.com/advisories/fugue", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:54:14.217Z"}}], "cna": {"title": "Actual Sync Server 26.2.1 - Authenticated Path Traversal", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Juan Patarroyo"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Actual", "product": "Actual Sync Server", "versions": [{"status": "affected", "version": "26.2.1"}], "platforms": ["Windows", "MacOS", "Linux"], "packageName": "@actual-app/sync-server", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/fugue", "tags": ["third-party-advisory"]}, {"url": "https://github.com/actualbudget/actual", "tags": ["product"]}, {"url": "https://github.com/actualbudget/actual/pull/7067", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.</span><p>This issue affects prior versions of Actual Sync Server 26.3.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:actual:actual_sync_server:26.2.1:*:windows:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:actual:actual_sync_server:26.2.1:*:macos:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:actual:actual_sync_server:26.2.1:*:linux:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2026-03-09T14:08:55.998Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3089", "state": "PUBLISHED", "dateUpdated": "2026-03-09T14:54:24.136Z", "dateReserved": "2026-02-24T00:49:14.624Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2026-03-09T14:08:55.998Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:actualbudget:actual:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A7399ED0-2E66-4A0C-8463-A2647306D5FE", "versionEndExcluding": "26.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0."}, {"lang": "es", "value": "Actual Sync Server permite a usuarios autenticados subir archivos a trav\u00e9s de POST /sync/upload-user-file. En versiones anteriores a la 26.3.0, una validaci\u00f3n incorrecta del encabezado x-actual-file-id controlado por el usuario significa que los segmentos de recorrido (../) pueden escapar del directorio previsto y escribir archivos fuera de userFiles. Este problema afecta a versiones anteriores de Actual Sync Server 26.3.0."}], "id": "CVE-2026-3089", "lastModified": "2026-04-09T21:01:46.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2026-03-09T14:16:10.143", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/fugue"}, {"source": "help@fluidattacks.com", "tags": ["Product"], "url": "https://github.com/actualbudget/actual"}, {"source": "help@fluidattacks.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/actualbudget/actual/pull/7067"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/fugue"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "help@fluidattacks.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "macos", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "26.2.1"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 84.0, "source": "matching"}]}, "original": {"product": "Actual Sync Server", "source": "cna", "vendor": "Actual"}, "product": "actual_sync_server", "vendor": "actual"}], "analysis": {"en": {"generated_at": "2026-04-17T11:52:57.290388+00:00", "value": {"mitigation_remediation": ["Upgrade Actual Sync Server to version 26.3.0 or later to apply the official fix that properly validates the x\u2011actual-file-id header.", "If an update cannot be applied immediately, restrict the /sync/upload-user-file endpoint to reject any x\u2011actual-file-id header containing \u201c../\u201d or similar patterns, ensuring uploads are confined to the designated userFiles directory.", "Enforce server\u2011side validation of the x\u2011actual-file-id value, allowing only tokens that match a pre\u2011approved list of consented filenames or identifiers."], "summary": {"action": "Immediate Patch", "impact": "Authenticated Path Traversal"}, "threat_synthesis": {"affected_systems": "Affected users run the Actual Sync Server 26.2.1 or earlier (any patch level below 26.3.0). The product is available for Linux, macOS, and Windows platforms. The open-source repo is maintained under the Actual Budget project on GitHub.", "description_and_impact": "The vulnerability lies in improper validation of the x-actual-file-id header used during file uploads, allowing traversal segments such as ../ to escape the intended userFiles directory. This flaw permits authenticated users to place files wherever the server can write, potentially overwriting critical configuration or system files, exposing sensitive data, and creating a vector for further compromise. The weakness is a classic path traversal, identified as CWE-22, which carries the risk of arbitrary file write and data tampering within the hosting environment.", "risk_and_exploitability": "The CVSS score of 5.3 classifies this flaw as medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid authentication to the sync service; an attacker would target the POST /sync/upload-user-file endpoint, supply a malicious x-actual-file-id header with traversal components, and cause the server to write the uploaded file outside the intended directory. The lack of external exploitation evidence and low EPSS suggest that the risk remains moderate but should not be ignored by users of vulnerable versions."}}}}, "created": "2026-03-10T14:07:21.295896+00:00", "updated": "2026-04-17T12:00:11.758798+00:00", "vendors": ["actual", "actual$PRODUCT$actual_sync_server"]}