CVE-2026-34604: CVE-2026-34604: Path Validation Bypass via Symlinks in @tinacms/graphql

CVE-2026-34604: Path Validation Bypass via Symlinks in @tinacms/graphql

Vulnerability ID: CVE-2026-34604
CVSS Score: 7.1
Published: 2026-04-01

The @tinacms/graphql package before version 2.2.2 is vulnerable to a path traversal attack due to improper symlink validation. An authenticated attacker can read, write, or delete files outside the intended content root if a symbolic link exists.

TL;DR

TinaCMS GraphQL API allows path traversal via symlinks, enabling restricted file access.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-59, CWE-22
• Attack Vector: Network
• CVSS Score: 7.1
• Privileges Required: Low
• User Interaction: None
• Exploit Status: Proof of Concept

Affected Systems

• TinaCMS headless content management system
• Node.js environments running @tinacms/graphql below version 2.2.2
• @tinacms/graphql: < 2.2.2 (Fixed in: 2.2.2)

Code Analysis

Commit: f124eab

Security patch implementing assertSymlinkWithinBase using fs.realpathSync

Mitigation Strategies

• Upgrade @tinacms/graphql to version 2.2.2 or higher.
• Apply the principle of least privilege to the OS user account executing the TinaCMS Node.js process.
• Deploy the application in a restricted containerized environment to limit filesystem visibility.
• Audit the content directories for unauthorized or unexpected symbolic links.

Remediation Steps:

1. Identify all projects utilizing the @tinacms/graphql package.
2. Run npm update @tinacms/graphql or equivalent package manager commands to ensure version 2.2.2 is installed.
3. Verify the integrity of the updated package in the lockfile.
4. Review the application deployment environment to ensure the Node.js process runs as a non-root user.

References

• GHSA-g9c2-gf25-3x67
• CVE.org Record for CVE-2026-34604

---

Read the full report for CVE-2026-34604 on our website for more details including interactive diagrams and full exploit analysis.