CVE-2026-28792
Received Received - Intake
Path Traversal and CORS Flaw in TinaCMS CLI Enables Remote File Manipulation

Publication date: 2026-03-12

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28792
EUVD
EUVD-2026-11611
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ssw tinacms/cli to 2.1.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28792 is a critical vulnerability in the TinaCMS CLI development server that combines two issues: a permissive Cross-Origin Resource Sharing (CORS) configuration and a path traversal flaw.'}, {'type': 'paragraph', 'content': 'The dev server sets the HTTP header Access-Control-Allow-Origin to *, allowing any website to make cross-origin requests to it. The path traversal flaw allows attackers to manipulate file paths to access files and directories outside the intended restricted areas.'}, {'type': 'paragraph', 'content': "When combined, these vulnerabilities enable a remote attacker to perform a browser-based drive-by attack by tricking a developer into visiting a malicious website while the TinaCMS dev server is running locally. The attacker can then read, write, and delete arbitrary files on the developer's machine."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts on developers running the TinaCMS dev server.'}, {'type': 'list_item', 'content': 'Attackers can enumerate filesystem directories and files beyond intended boundaries.'}, {'type': 'list_item', 'content': 'Attackers can access sensitive files such as .env files, .git/config, SSH keys, cloud credentials, and database configuration files.'}, {'type': 'list_item', 'content': 'Attackers can write arbitrary files, potentially injecting backdoors or modifying source and build files.'}, {'type': 'list_item', 'content': 'Attackers can delete arbitrary files, impacting availability.'}, {'type': 'paragraph', 'content': "Overall, the vulnerability compromises confidentiality, integrity, and availability of the developer's environment."}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the TinaCMS CLI development server is running on your system, especially versions prior to 2.1.8 and up to 2.1.15, and if it is listening on the default port 4001 with a permissive CORS configuration.

You can verify if the TinaCMS dev server is running by checking active processes or network ports.

  • On Linux/macOS, run: `lsof -i :4001` or `netstat -an | grep 4001` to see if the dev server is listening on port 4001.
  • Check running processes for TinaCMS CLI: `ps aux | grep tinacms`.

To confirm the presence of the permissive CORS header, you can send an HTTP request to the local dev server and inspect the response headers.

  • Use curl to check CORS header: `curl -I http://localhost:4001` and look for `Access-Control-Allow-Origin: *` in the response headers.

If these conditions are met, your system is vulnerable to the described attack.

Mitigation Strategies

The immediate and most effective mitigation is to upgrade the TinaCMS CLI development server to version 2.1.8 or later, where this vulnerability is fixed.

Until you can upgrade, avoid running the TinaCMS dev server or ensure it is not running when browsing untrusted websites to prevent drive-by attacks.

Additionally, consider restricting access to the dev server by limiting it to localhost and not exposing it to any external network.

Review and monitor your system for any suspicious file changes or unexpected network activity related to port 4001.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart