CVE-2026-24125: Authenticated Path Traversal in TinaCMS GraphQL Mutations
Vulnerability ID: CVE-2026-24125
CVSS Score: 6.3
Published: 2026-03-12
CVE-2026-24125 is a medium-severity path traversal vulnerability in the @tinacms/graphql package. Authenticated users can exploit improper path validation in GraphQL mutations to create, read, update, or delete arbitrary files on the host system.
TL;DR
Improper path handling in TinaCMS GraphQL mutations allows authenticated attackers to traverse directories and manipulate arbitrary files via the relativePath parameter. Upgrading to version 2.1.2 resolves the issue.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network
- CVSS Score: 6.3
- Privileges Required: Low
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- TinaCMS (@tinacms/graphql)
-
@tinacms/graphql: < 2.1.2 (Fixed in:
2.1.2)
Mitigation Strategies
- Upgrade @tinacms/graphql to version 2.1.2 or higher
- Implement strict path boundary validation using path.resolve and string prefix checking
- Deploy WAF rules to detect directory traversal sequences in GraphQL mutation arguments
- Restrict the file system permissions of the Node.js process to the minimum required directories
Remediation Steps:
- Audit project dependencies to identify the current version of @tinacms/graphql
- Run npm update @tinacms/graphql or yarn upgrade @tinacms/graphql to install version 2.1.2
- Review application logs for historical exploitation attempts targeting the relativePath parameter
- Verify the application deployment process restricts the Node.js user from accessing sensitive files like /etc/passwd or application configuration files
References
Read the full report for CVE-2026-24125 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)