Actual · Actual Sync Server · CVE-2026-3089
**Name of the Vulnerable Software and Affected Versions**
Actual Sync Server versions prior to 26.3.0
**Description**
Actual Sync Server allows authenticated users to upload files through the ''/sync/upload-user-file'' API endpoint. In versions prior to 26.3.0, insufficient validation of the `x-actual-file-id` header allows traversal segments (../) to escape the intended directory, potentially enabling writing files outside the userFiles directory.
**Recommendations**
Update to version 26.3.0 or later.