CVE-2026-29066
Arbitrary File Read in TinaCMS CLI Dev Server via Misconfiguration
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ssw | tinacms/cli | to 2.1.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-29066 is a moderate severity vulnerability in the TinaCMS CLI package affecting versions up to 2.1.16 and fixed in 2.1.8. The issue arises because the TinaCMS CLI development server uses Vite configured with server.fs.strict set to false, which disables Vite's built-in filesystem access restrictions."}, {'type': 'paragraph', 'content': 'This misconfiguration allows any unauthenticated attacker who can access the development server (usually on port 4001) to read arbitrary files on the host system. The server serves files directly from absolute filesystem paths outside of specific route prefixes, enabling attackers to access sensitive files.'}, {'type': 'paragraph', 'content': 'Additionally, the server enables permissive CORS with no origin restrictions, increasing the risk of browser-based attacks such as DNS rebinding.'}] [1]
How can this vulnerability impact me? :
If an attacker can reach the TinaCMS CLI development server, they can read any file accessible by the server process without authentication.
- Access to sensitive system files such as /etc/passwd and /etc/shadow.
- Exposure of SSH private keys.
- Leakage of environment variables including cloud credentials and API keys.
- Potential compromise of local setups, cloud IDEs with port forwarding, Docker or VM environments with exposed ports, and servers bound to all interfaces (0.0.0.0).
- Increased risk of browser-based attacks due to permissive CORS settings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the TinaCMS CLI development server is running with the vulnerable configuration, specifically if it is using Vite with server.fs.strict set to false and accessible on the default port 4001.
You can test for the vulnerability by attempting to read sensitive files via HTTP requests to the dev server. For example, using curl commands to request files like /etc/passwd or /etc/hostname can reveal if arbitrary file read is possible.
- curl http://localhost:4001/etc/passwd
- curl http://localhost:4001/etc/hostname
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the TinaCMS CLI package to version 2.1.8 or later, where this vulnerability is fixed.
Additionally, ensure that the development server is not exposed to untrusted networks or the internet, especially on port 4001.
Avoid running the dev server with the configuration server.fs.strict set to false, and restrict access to the dev server to trusted users only.