CVE-2026-33949
Received Received - Intake
Path Traversal in TinaCMS @tinacms/graphql Allows Arbitrary File Overwrite

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33949
EUVD
EUVD-2026-17961
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ssw tinacms/graphql to 2.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33949 is a high-severity path traversal vulnerability in the npm package @tinacms/graphql, affecting versions up to 2.2.1 and fixed in 2.2.2.

The flaw allows unauthenticated remote attackers to write and overwrite arbitrary files within the project root by exploiting improper path validation in GraphQL mutations, specifically via the relativePath parameter.

The root cause is that the path validation function fails to recognize backslashes as directory separators on non-Windows platforms, allowing attackers to bypass validation and perform directory traversal.

This enables attackers to replace critical files such as package.json by sending malicious GraphQL mutations.

Impact Analysis

This vulnerability can have serious impacts including:

  • Overwriting critical server configuration files like package.json and tsconfig.json.
  • Hosting malicious scripts in public directories, which can be used for client-side attacks.
  • Potential arbitrary code execution by modifying build scripts or server-side logic files that are executed by the environment.

These impacts can lead to service disruption and compromise the integrity and availability of the affected system.

Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal flaw using crafted GraphQL mutations targeting the relativePath parameter. A proof-of-concept involves sending a malicious GraphQL mutation to the TinaCMS development server to overwrite critical files such as package.json.

For detection, you can use a curl command to send a GraphQL mutation that tries to overwrite a file outside the intended directory, for example:

  • curl -X POST http://<target-server>/graphql -H "Content-Type: application/json" -d '{"query":"mutation { writeFile(relativePath: \"x\\..\\..\\..\\package.json\", content: \"test\") }"}'

If the file is overwritten or the server responds positively, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the @tinacms/graphql package to version 2.2.2 or later, where the path traversal issue has been patched.

Additionally, restrict access to the GraphQL endpoint to trusted users or networks until the patch is applied, and monitor for any suspicious file modifications in the project root.

Compliance Impact

The vulnerability allows unauthenticated attackers to overwrite arbitrary files within the project root, including critical server configuration files and build scripts. This can lead to arbitrary code execution and potential service disruption.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to modify server files and execute arbitrary code could indirectly impact compliance by compromising system integrity and availability, which are important aspects of these regulations.

Specifically, the high integrity and availability impact (CVSS score 8.1) suggests that systems using vulnerable versions of @tinacms/graphql could face risks that might affect their ability to protect sensitive data and maintain reliable operations, potentially leading to non-compliance with regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart