PT-2026-24064 · Actual · Actual Sync Server

Juan Patarroyo

Published

2026-03-09

Updated

2026-05-19

CVE-2026-3089

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Actual Sync Server versions prior to 26.3.0

Description Actual Sync Server allows authenticated users to upload files through the ''/sync/upload-user-file'' API endpoint. In versions prior to 26.3.0, insufficient validation of the x-actual-file-id header allows traversal segments (../) to escape the intended directory, potentially enabling writing files outside the userFiles directory.

Recommendations Update to version 26.3.0 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-3089

GHSA-27VG-33GH-4HWG

Affected Products

Actual Sync Server

PT-2026-24064 · Actual · Actual Sync Server

CVE-2026-3089

Weakness Enumeration

Related Identifiers

Affected Products

References · 14