DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-29066: CVE-2026-29066: Arbitrary File Read in TinaCMS CLI via Permissive Vite Configuration

#security #cve #cybersecurity

CVE-2026-29066: Arbitrary File Read in TinaCMS CLI via Permissive Vite Configuration

Vulnerability ID: CVE-2026-29066
CVSS Score: 6.2
Published: 2026-03-12

The @tinacms/cli package prior to version 2.1.8 contains a medium-severity vulnerability that allows unauthenticated local or adjacent attackers to read arbitrary files from the host filesystem. This occurs due to an insecure Vite development server configuration that explicitly disables filesystem strict boundaries.

TL;DR

TinaCMS CLI versions prior to 2.1.8 explicitly disable Vite's strict filesystem checks, enabling an unauthenticated arbitrary file read vulnerability via the development server's /@fs/ endpoint.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-552 / CWE-200
  • Attack Vector: Local / Adjacent Network
  • CVSS Score: 6.2
  • Impact: High Confidentiality (Arbitrary File Read)
  • Exploit Status: Proof of Concept (PoC) Available
  • KEV Status: Not Listed

Affected Systems

  • TinaCMS CLI (< 2.1.8)
  • Vite Development Server (Embedded via TinaCMS)
  • @tinacms/cli: < 2.1.8 (Fixed in: 2.1.8)

Mitigation Strategies

  • Upgrade @tinacms/cli to version 2.1.8 or later
  • Bind the development server exclusively to the local loopback interface (127.0.0.1)
  • Avoid running development servers in untrusted or shared network environments

Remediation Steps:

  1. Identify all projects utilizing @tinacms/cli in their dependency tree.
  2. Update the package version to 2.1.8 or higher in the project's package.json.
  3. Run the appropriate package manager installation command (e.g., npm install or yarn install) to apply the update.
  4. Restart the TinaCMS development server process to load the patched configuration.
  5. Audit development environments and rotate any credentials if the server was previously exposed to an untrusted network.

References

Read the full report for CVE-2026-29066 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)