The vulnerability lies in improper validation of the x-actual-file-id header used during file uploads, allowing traversal segments such as ../ to escape the intended userFiles directory. This flaw permits authenticated users to place files wherever the server can write, potentially overwriting critical configuration or system files, exposing sensitive data, and creating a vector for further compromise. The weakness is a classic path traversal, identified as CWE-22, which carries the risk of arbitrary file write and data tampering within the hosting environment.

Affected users run the Actual Sync Server 26.2.1 or earlier (any patch level below 26.3.0). The product is available for Linux, macOS, and Windows platforms. The open-source repo is maintained under the Actual Budget project on GitHub.

The CVSS score of 5.3 classifies this flaw as medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid authentication to the sync service; an attacker would target the POST /sync/upload-user-file endpoint, supply a malicious x-actual-file-id header with traversal components, and cause the server to write the uploaded file outside the intended directory. The lack of external exploitation evidence and low EPSS suggest that the risk remains moderate but should not be ignored by users of vulnerable versions.