CVE-2026-28793: Unauthenticated Path Traversal in TinaCMS CLI Development Server
Vulnerability ID: CVE-2026-28793
CVSS Score: 8.4
Published: 2026-03-12
The TinaCMS CLI development server exposes media management endpoints that are vulnerable to an unauthenticated path traversal flaw. By supplying URL-encoded traversal sequences, an attacker can bypass routing restrictions and execute arbitrary file read, write, and delete operations on the local filesystem of the development host.
TL;DR
An unauthenticated path traversal vulnerability in @tinacms/cli versions prior to 2.1.8 permits local network attackers to read, write, and delete arbitrary files on the developer's system.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Local Network / Localhost
- CVSS v3.1 Score: 8.4 (High)
- Impact: Arbitrary File Read/Write/Delete
- Exploit Status: Proof-of-Concept Available
- Authentication Required: None
- Patched Version: 2.1.8
Affected Systems
- @tinacms/cli < 2.1.8
- TinaCMS Development Server
-
@tinacms/cli: < 2.1.8 (Fixed in:
2.1.8)
Mitigation Strategies
- Upgrade @tinacms/cli to version 2.1.8 or later.
- Bind the development server exclusively to the loopback interface (127.0.0.1).
- Implement endpoint monitoring to detect traversal attempts on port 4001.
Remediation Steps:
- Identify all projects utilizing @tinacms/cli.
- Run 'npm install @tinacms/cli@latest' or 'yarn add @tinacms/cli@latest' within the project directory.
- Verify the installed version is 2.1.8 or greater.
- Restart the TinaCMS development server to apply the updated logic.
References
Read the full report for CVE-2026-28793 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)