Executive Summary

CVE-2026-28793 is a path traversal vulnerability in the TinaCMS CLI development server prior to version 2.1.8. The server exposes media endpoints such as /media/list/*, /media/upload/*, and /media/* that process user-supplied path segments without properly validating that the resolved file paths remain within the intended media directory.

Because the server uses decodeURI() and path.join() without checking if the resulting path is confined to the media folder, attackers can manipulate the path to access files outside the media directory.

This allows attackers to read, write, or delete arbitrary files on the filesystem accessible by the server process, potentially including sensitive files like /etc/passwd, .env files, or SSH keys.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts if exploited. An attacker with access to the development server can:

• Read sensitive files outside the media directory, such as system files or configuration files containing secrets.
• Write or overwrite files anywhere writable by the server process, which could include executable scripts or source code.
• Delete arbitrary files outside the media directory.

These actions can lead to code execution, data loss, or unauthorized disclosure of sensitive information. Although the attack vector is local by default, exploitation is realistic in cloud IDEs, containerized environments with port forwarding, or misconfigured servers exposed externally.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the TinaCMS CLI development server is running a vulnerable version (up to 2.1.15) and if the local HTTP server (default port 4001) exposes the media endpoints `/media/list/*`, `/media/upload/*`, and `/media/*` without proper path validation.

You can test for path traversal by attempting to access or upload files outside the intended media directory using crafted HTTP requests targeting these endpoints.

Example commands using curl to detect the vulnerability include:

• Read arbitrary file (e.g., /etc/passwd): curl -v http://localhost:4001/media/list/../../../etc/passwd
• Write arbitrary file (e.g., /tmp/pwned.txt): curl -X POST --data-binary @yourfile.txt http://localhost:4001/media/upload/../../../tmp/pwned.txt
• Delete arbitrary file (e.g., /tmp/delete-test.txt): curl -X DELETE http://localhost:4001/media/../../../tmp/delete-test.txt

If these commands succeed in reading, writing, or deleting files outside the media directory, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade the TinaCMS CLI package to version 2.1.8 or later, where the vulnerability is fixed.
• If upgrading is not immediately possible, restrict access to the development server by ensuring it only binds to localhost and is not exposed externally.
• Consider adding authentication or token-based protection to the dev server endpoints to prevent unauthorized access.
• Avoid running the dev server in environments where port forwarding or external access is possible without proper network controls.
• Monitor and audit file system access around the media directory to detect suspicious activity.

Useful 0 Not Useful 0