CVE-2026-29066
Received Received - Intake
Arbitrary File Read in TinaCMS CLI Dev Server via Misconfiguration

Publication date: 2026-03-12

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29066
EUVD
EUVD-2026-11615
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ssw tinacms/cli to 2.1.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29066 is a moderate severity vulnerability in the TinaCMS CLI package affecting versions up to 2.1.16 and fixed in 2.1.8. The issue arises because the TinaCMS CLI development server uses Vite configured with server.fs.strict set to false, which disables Vite's built-in filesystem access restrictions."}, {'type': 'paragraph', 'content': 'This misconfiguration allows any unauthenticated attacker who can access the development server (usually on port 4001) to read arbitrary files on the host system. The server serves files directly from absolute filesystem paths outside of specific route prefixes, enabling attackers to access sensitive files.'}, {'type': 'paragraph', 'content': 'Additionally, the server enables permissive CORS with no origin restrictions, increasing the risk of browser-based attacks such as DNS rebinding.'}] [1]

Impact Analysis

If an attacker can reach the TinaCMS CLI development server, they can read any file accessible by the server process without authentication.

  • Access to sensitive system files such as /etc/passwd and /etc/shadow.
  • Exposure of SSH private keys.
  • Leakage of environment variables including cloud credentials and API keys.
  • Potential compromise of local setups, cloud IDEs with port forwarding, Docker or VM environments with exposed ports, and servers bound to all interfaces (0.0.0.0).
  • Increased risk of browser-based attacks due to permissive CORS settings.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the TinaCMS CLI development server is running with the vulnerable configuration, specifically if it is using Vite with server.fs.strict set to false and accessible on the default port 4001.

You can test for the vulnerability by attempting to read sensitive files via HTTP requests to the dev server. For example, using curl commands to request files like /etc/passwd or /etc/hostname can reveal if arbitrary file read is possible.

  • curl http://localhost:4001/etc/passwd
  • curl http://localhost:4001/etc/hostname
Mitigation Strategies

The immediate mitigation step is to upgrade the TinaCMS CLI package to version 2.1.8 or later, where this vulnerability is fixed.

Additionally, ensure that the development server is not exposed to untrusted networks or the internet, especially on port 4001.

Avoid running the dev server with the configuration server.fs.strict set to false, and restrict access to the dev server to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart