CVE-2026-33949
Path Traversal in TinaCMS @tinacms/graphql Allows Arbitrary File Overwrite
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ssw | tinacms/graphql | to 2.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33949 is a high-severity path traversal vulnerability in the npm package @tinacms/graphql, affecting versions up to 2.2.1 and fixed in 2.2.2.
The flaw allows unauthenticated remote attackers to write and overwrite arbitrary files within the project root by exploiting improper path validation in GraphQL mutations, specifically via the relativePath parameter.
The root cause is that the path validation function fails to recognize backslashes as directory separators on non-Windows platforms, allowing attackers to bypass validation and perform directory traversal.
This enables attackers to replace critical files such as package.json by sending malicious GraphQL mutations.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Overwriting critical server configuration files like package.json and tsconfig.json.
- Hosting malicious scripts in public directories, which can be used for client-side attacks.
- Potential arbitrary code execution by modifying build scripts or server-side logic files that are executed by the environment.
These impacts can lead to service disruption and compromise the integrity and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the path traversal flaw using crafted GraphQL mutations targeting the relativePath parameter. A proof-of-concept involves sending a malicious GraphQL mutation to the TinaCMS development server to overwrite critical files such as package.json.
For detection, you can use a curl command to send a GraphQL mutation that tries to overwrite a file outside the intended directory, for example:
- curl -X POST http://<target-server>/graphql -H "Content-Type: application/json" -d '{"query":"mutation { writeFile(relativePath: \"x\\..\\..\\..\\package.json\", content: \"test\") }"}'
If the file is overwritten or the server responds positively, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the @tinacms/graphql package to version 2.2.2 or later, where the path traversal issue has been patched.
Additionally, restrict access to the GraphQL endpoint to trusted users or networks until the patch is applied, and monitor for any suspicious file modifications in the project root.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to overwrite arbitrary files within the project root, including critical server configuration files and build scripts. This can lead to arbitrary code execution and potential service disruption.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to modify server files and execute arbitrary code could indirectly impact compliance by compromising system integrity and availability, which are important aspects of these regulations.
Specifically, the high integrity and availability impact (CVSS score 8.1) suggests that systems using vulnerable versions of @tinacms/graphql could face risks that might affect their ability to protect sensitive data and maintain reliable operations, potentially leading to non-compliance with regulatory requirements.