CVE-2026-28791
Path Traversal in TinaCMS Media Upload Allows Arbitrary File Write
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ssw | tinacms/cli | to 2.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-28791 is a path traversal vulnerability in the media upload handler of TinaCMS's development server, affecting versions up to 2.0.5. The vulnerability occurs because user-supplied path segments are joined using path.join() without proper validation, allowing attackers to craft paths with traversal sequences like '../../../' that escape the intended media directory."}, {'type': 'paragraph', 'content': 'This means an attacker can write files to arbitrary locations on the filesystem outside the designated media folder by exploiting this flaw. The issue exists in multiple handlers and methods related to media upload, deletion, and listing.'}, {'type': 'paragraph', 'content': 'Although some HTTP servers normalize path traversal sequences before they reach the handler, the underlying code lacks validation, so exploitation is possible in certain configurations.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including arbitrary file writes to the filesystem, which can lead to remote code execution by overwriting critical files such as SSH keys, source code, or cron jobs.
It can also cause denial of service through arbitrary file deletion and information disclosure via directory listing.
The vulnerability primarily affects developers running TinaCMS in development mode or those exposing the development server API.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the TinaCMS development server\'s media upload endpoint for suspicious path traversal patterns such as sequences containing "../" in the path segments.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves path traversal in the media upload handler, you can look for requests to endpoints like `/media/upload/` that include traversal sequences attempting to write files outside the intended media directory.'}, {'type': 'paragraph', 'content': 'Example commands to detect potential exploitation attempts include using network traffic inspection tools or web server logs to search for traversal patterns:'}, {'type': 'list_item', 'content': "Using grep on server logs to find suspicious paths: `grep -E '\\.\\./|\\.\\.\\\\' /path/to/access.log`"}, {'type': 'list_item', 'content': 'Using tcpdump or tshark to capture HTTP POST requests containing traversal sequences: `tshark -Y \'http.request.method == "POST" && http.request.uri contains ".."\' -T fields -e http.host -e http.request.uri`'}, {'type': 'paragraph', 'content': 'Additionally, reviewing the source code or running a Node.js script simulating the vulnerable logic (as demonstrated in the proof of concept) can help confirm if the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict path validation to ensure that any resolved file paths remain within the intended media directory.
Specifically, the server should resolve the full path of the uploaded file and verify that it starts with the resolved media folder path. If the path is outside this directory, the request should be rejected with a 403 Forbidden error.
This validation must be applied consistently across all affected handlers and methods, including the media upload handler (`handlePost`), delete handler (`handleDelete`), list handler (`handleList`), and related MediaModel methods.
Alternatively, create a reusable validation helper function that throws an error if path traversal is detected.
Also, ensure that your TinaCMS version is updated to 2.1.7 or later, where this vulnerability is fixed.
Note that relying solely on HTTP layer normalization (e.g., by Vite or other HTTP servers) is insufficient; defense-in-depth requires validation at the application code level.