CVE-2026-28792: CVE-2026-28792: Cross-Origin File Exfiltration and Path Traversal in TinaCMS CLI

CVE-2026-28792: Cross-Origin File Exfiltration and Path Traversal in TinaCMS CLI

Vulnerability ID: CVE-2026-28792
CVSS Score: 9.7
Published: 2026-03-12

The TinaCMS CLI development server prior to version 2.1.8 contains a critical vulnerability allowing remote attackers to exfiltrate arbitrary local files, write malicious files, and delete data on a developer's workstation via a browser-based drive-by attack.

TL;DR

A permissive CORS configuration combined with path traversal weaknesses in the TinaCMS CLI development server allows malicious websites to steal local files from developers running local testing environments.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: Cross-Origin File Exfiltration & Path Traversal
• Attack Vector: Network (Drive-by Browser Exploit)
• CWE ID: CWE-942, CWE-22
• CVSS v3.1: 9.7 (Critical)
• Exploit Status: Proof of Concept Available
• Affected Component: TinaCMS Development Server

Affected Systems

• TinaCMS CLI (@tinacms/cli)
• @tinacms/cli: < 2.1.8 (Fixed in: 2.1.8)

Code Analysis

Commit: 56d533e

Implemented strict CORS validation, enforced Vite filesystem boundaries, and restricted LevelDB to loopback interfaces.

--- a/packages/@tinacms/cli/src/server/index.ts
+++ b/packages/@tinacms/cli/src/server/index.ts
- app.use(cors())
+ const allowedOrigins = ['http://localhost', 'http://127.0.0.1', 'http://[::1]'];
+ app.use(cors({ origin: function (origin, callback) { if (!origin || allowedOrigins.includes(origin)) { callback(null, true); } else { callback(new Error('Not allowed by CORS')); } } }));

Mitigation Strategies

• Update @tinacms/cli dependency to version 2.1.8 or higher.
• Configure server.allowedOrigins strictly if using remote workspaces like GitHub Codespaces.
• Audit internal repositories for hardcoded permissive CORS patterns in local tooling.

Remediation Steps:

1. Identify projects utilizing TinaCMS by scanning package.json files.
2. Execute npm install @tinacms/cli@latest or equivalent package manager commands to apply the patch.
3. Verify the installed version is 2.1.8 or greater via npx tinacms --version.
4. Rotate any sensitive credentials stored on developer workstations if there is suspicion of compromise.

References

• NVD Vulnerability Record for CVE-2026-28792
• TinaCMS Fix Commit 56d533e610a520ba66b3e58f3a0dc03487d5d5d7

---

Read the full report for CVE-2026-28792 on our website for more details including interactive diagrams and full exploit analysis.