CVE-2026-28792
Path Traversal and CORS Flaw in TinaCMS CLI Enables Remote File Manipulation
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ssw | tinacms/cli | to 2.1.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28792 is a critical vulnerability in the TinaCMS CLI development server that combines two issues: a permissive Cross-Origin Resource Sharing (CORS) configuration and a path traversal flaw.'}, {'type': 'paragraph', 'content': 'The dev server sets the HTTP header Access-Control-Allow-Origin to *, allowing any website to make cross-origin requests to it. The path traversal flaw allows attackers to manipulate file paths to access files and directories outside the intended restricted areas.'}, {'type': 'paragraph', 'content': "When combined, these vulnerabilities enable a remote attacker to perform a browser-based drive-by attack by tricking a developer into visiting a malicious website while the TinaCMS dev server is running locally. The attacker can then read, write, and delete arbitrary files on the developer's machine."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts on developers running the TinaCMS dev server.'}, {'type': 'list_item', 'content': 'Attackers can enumerate filesystem directories and files beyond intended boundaries.'}, {'type': 'list_item', 'content': 'Attackers can access sensitive files such as .env files, .git/config, SSH keys, cloud credentials, and database configuration files.'}, {'type': 'list_item', 'content': 'Attackers can write arbitrary files, potentially injecting backdoors or modifying source and build files.'}, {'type': 'list_item', 'content': 'Attackers can delete arbitrary files, impacting availability.'}, {'type': 'paragraph', 'content': "Overall, the vulnerability compromises confidentiality, integrity, and availability of the developer's environment."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the TinaCMS CLI development server is running on your system, especially versions prior to 2.1.8 and up to 2.1.15, and if it is listening on the default port 4001 with a permissive CORS configuration.
You can verify if the TinaCMS dev server is running by checking active processes or network ports.
- On Linux/macOS, run: `lsof -i :4001` or `netstat -an | grep 4001` to see if the dev server is listening on port 4001.
- Check running processes for TinaCMS CLI: `ps aux | grep tinacms`.
To confirm the presence of the permissive CORS header, you can send an HTTP request to the local dev server and inspect the response headers.
- Use curl to check CORS header: `curl -I http://localhost:4001` and look for `Access-Control-Allow-Origin: *` in the response headers.
If these conditions are met, your system is vulnerable to the described attack.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade the TinaCMS CLI development server to version 2.1.8 or later, where this vulnerability is fixed.
Until you can upgrade, avoid running the TinaCMS dev server or ensure it is not running when browsing untrusted websites to prevent drive-by attacks.
Additionally, consider restricting access to the dev server by limiting it to localhost and not exposing it to any external network.
Review and monitor your system for any suspicious file changes or unexpected network activity related to port 4001.