CVE-2026-34604
Received Received - Intake
Symlink Traversal in TinaCMS FilesystemBridge Allows Unauthorized Access

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34604
EUVD
EUVD-2026-17965
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ssw tinacms/graphql to 2.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34604 is a path traversal vulnerability in the @tinacms/graphql package used by TinaCMS, a headless content management system. The issue arises because the FilesystemBridge component uses string-based path containment checks that block simple directory traversal like "../", but do not properly resolve symbolic links (symlinks) or junction points.

If a symlink or junction exists inside the allowed content root that points outside it, the path validation incorrectly considers the target path as inside the base directory. This allows methods like get(), put(), delete(), and glob() to operate on files outside the intended root directory.

The vulnerability is due to the validation only checking lexical path strings without resolving the actual filesystem targets, enabling unauthorized file read, write, or delete operations outside the configured content root.

This issue has been fixed in version 2.2.2 by replacing string-based checks with realpath-aware checks that resolve canonical filesystem paths before validation.

Impact Analysis

This vulnerability can allow an attacker to read, write, or delete files outside the intended content root directory in TinaCMS when using the vulnerable @tinacms/graphql versions.

Because the path validation does not properly resolve symlinks or junctions, an attacker who can create or exploit existing symlinks inside the content root can bypass directory restrictions.

The impact includes unauthorized access to sensitive files, modification or deletion of important data, and potential disruption of application functionality.

The vulnerability has a high severity score (CVSS 7.1) with high confidentiality and integrity impacts, meaning sensitive data could be exposed or altered.

Detection Guidance

This vulnerability arises from improper path validation that fails to resolve symbolic links or junctions, allowing file operations outside the intended directory. Detection involves checking for the presence of symlinks or junctions inside the allowed content root that point outside it.

You can detect potential exploitation or presence of this vulnerability by identifying symlinks or junctions within the content root directory and verifying if they point outside the base directory.

  • On Linux/macOS, use the command: find /path/to/content/root -type l -exec ls -l {} \;
  • On Windows, use PowerShell to find junctions or symlinks: Get-ChildItem -Path C:\path\to\content\root -Recurse -Attributes ReparsePoint

Additionally, monitoring file operations performed by the @tinacms/graphql package, especially calls to FilesystemBridge methods (get(), put(), delete(), glob()), for paths that resolve outside the base directory can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade the @tinacms/graphql package to version 2.2.2 or later, where this vulnerability has been patched.

The patch replaces the string-based path containment checks with realpath-aware checks that resolve canonical filesystem paths using fs.realpath(), preventing symlink or junction traversal outside the intended directory.

Until the upgrade is applied, you should audit and remove any symlinks or junctions inside the content root that point outside the allowed directory to reduce risk.

Restrict access to TinaCMS’s GraphQL/content operations to trusted users only, as exploitation requires attacker-controlled relative paths.

Compliance Impact

The vulnerability allows unauthorized read, write, and delete operations on files outside the intended content root due to improper path validation that does not resolve symlinks or junctions.

Such unauthorized filesystem access can lead to exposure or modification of sensitive data, potentially violating data protection requirements in standards and regulations like GDPR and HIPAA.

Because the vulnerability compromises confidentiality and integrity of data (as indicated by the high CVSS impact on confidentiality and integrity), affected systems may fail to maintain compliance with these regulations that mandate strict controls on data access and protection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34604. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart