CVE-2026-28791: Unauthenticated Path Traversal in TinaCMS Media Upload Handler
Vulnerability ID: CVE-2026-28791
CVSS Score: 7.4
Published: 2026-03-12
A high-severity path traversal vulnerability in the TinaCMS development server prior to version 2.1.7 allows unauthenticated attackers to write arbitrary files to the host filesystem. The vulnerability exists in the media upload handler, which improperly sanitizes user-supplied file paths.
TL;DR
TinaCMS development servers < 2.1.7 are vulnerable to unauthenticated arbitrary file writes via a path traversal flaw in the media upload handler. Attackers can leverage this to overwrite source files or configuration data, potentially achieving Remote Code Execution (RCE).
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network
- CVSS v3.1 Score: 7.4
- Impact: Arbitrary File Write / RCE
- Exploit Status: None
- CISA KEV: No
Affected Systems
- TinaCMS Development Server
- Node.js environments running vulnerable TinaCMS versions
-
TinaCMS: < 2.1.7 (Fixed in:
2.1.7)
Mitigation Strategies
- Upgrade TinaCMS to version 2.1.7 or later.
- Restrict network access to the development server (bind to localhost only).
- Run the development server process with least-privilege file system permissions.
- Implement Web Application Firewall (WAF) rules to block requests containing path traversal sequences targeting media endpoints.
Remediation Steps:
- Identify all projects utilizing TinaCMS development servers.
- Update the
@tinacms/cliand related packages to version 2.1.7 via npm, yarn, or pnpm. - Review network configurations and container port bindings to ensure port 4001 (or the configured dev server port) is not exposed externally.
- Verify that the Node.js process runs under a restricted user account without global write access to the filesystem.
References
Read the full report for CVE-2026-28791 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)