CVE-2026-24125
Directory Traversal in TinaCMS GraphQL Allows Unauthorized File Access
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ssw | tinacms/graphql | to 2.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-24125 is a path traversal vulnerability in TinaCMS, a headless content management system. It affects versions up to 2.1.1 and was fixed in 2.1.2. The issue arises because TinaCMS allows users to create, update, move, and delete content documents using relative file paths via GraphQL mutations. These relative paths are combined with the collection directory path using Node.js's path.join() function without validating that the resulting path stays within the intended collection root directory."}, {'type': 'paragraph', 'content': "Since path.join() does not prevent directory traversal, an attacker can use '../' sequences in the paths to escape the collection directory and access or modify files outside the intended boundaries. This means an authenticated user with document mutation permissions can manipulate files and folders outside the collection directory."}, {'type': 'paragraph', 'content': 'The vulnerability is related to CWE-22: Improper Limitation of a Pathname to a Restricted Directory.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'An authenticated user with CMS editor permissions can exploit this vulnerability to create, move, rename, or delete files and folders outside the intended collection directory. They can also read file contents through document retrieval mutations.'}, {'type': 'paragraph', 'content': 'However, the impact is limited because:'}, {'type': 'list_item', 'content': "File content must conform to the collection's GraphQL schema, preventing arbitrary content injection."}, {'type': 'list_item', 'content': 'Exploitation requires authenticated access; anonymous users cannot exploit this.'}, {'type': 'list_item', 'content': 'File operations are typically tracked in git repositories, making malicious changes visible and revertible.'}, {'type': 'paragraph', 'content': 'The overall severity is moderate with a CVSS v3.1 base score of 6.3, indicating low impact on confidentiality, integrity, and availability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for GraphQL mutations that use relative file paths containing directory traversal sequences such as "../". Specifically, look for createDocument, updateDocument, deleteDocument, or createFolder mutations that attempt to access or modify files outside the intended collection directory.'}, {'type': 'paragraph', 'content': 'Since all file operations are typically tracked in git repositories, reviewing recent git changes for unexpected file creations, moves, or deletions outside the collection directory can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Using git to check for suspicious changes outside the collection directory: git status, git diff, or git log to identify unexpected file modifications.'}, {'type': 'list_item', 'content': 'Searching GraphQL logs or network traffic for mutations with relative paths containing "../" sequences.'}, {'type': 'list_item', 'content': "Example command to find suspicious paths in logs: grep -rE 'relativePath.*\\.\\.\\/' /path/to/logs"}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the @tinacms/graphql package to version 2.1.2 or later, where this path traversal vulnerability is fixed.
Additionally, restrict mutation permissions to trusted authenticated users only, as exploitation requires authenticated access with document mutation permissions.
Monitor git repositories for unexpected file changes outside the collection directory to quickly detect and revert any malicious modifications.