Skip to main content

Microsoft EUVDEUVD-2026-17965

| CVE-2026-34604 HIGH
Path Traversal (CWE-22)
2026-04-01 https://github.com/tinacms/tinacms GHSA-g9c2-gf25-3x67
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 00:30 euvd
EUVD-2026-17965
Analysis Generated
Apr 01, 2026 - 00:30 vuln.today
Patch released
Apr 01, 2026 - 00:30 nvd
Patch available
CVE Published
Apr 01, 2026 - 00:25 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on @tinacms/graphql (3 direct, 3 indirect)

Ecosystem-wide dependent count for version 2.2.2.

DescriptionGitHub Advisory

Summary

@tinacms/graphql uses string-based path containment checks in FilesystemBridge:

  • path.resolve(path.join(baseDir, filepath))
  • startsWith(resolvedBase + path.sep)

That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it.

As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root.

Details

The current bridge validation is:

ts
function assertWithinBase(filepath: string, baseDir: string): string {
  const resolvedBase = path.resolve(baseDir);
  const resolved = path.resolve(path.join(baseDir, filepath));
  if (
    resolved !== resolvedBase &&
    !resolved.startsWith(resolvedBase + path.sep)
  ) {
    throw new Error(
      `Path traversal detected: "${filepath}" escapes the base directory`
    );
  }
  return resolved;
}

But the bridge then performs real filesystem I/O on the resulting path:

ts
public async get(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  return (await fs.readFile(resolved)).toString();
}

public async put(filepath: string, data: string, basePathOverride?: string) {
  const basePath = basePathOverride || this.outputPath;
  const resolved = assertWithinBase(filepath, basePath);
  await fs.outputFile(resolved, data);
}

public async delete(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  await fs.remove(resolved);
}

This is a classic realpath gap:

  1. validation checks the lexical path string
  2. the filesystem follows the link target during I/O
  3. the actual target can be outside the intended root

This is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled relativePath, but that validation is also string-based:

ts
const realPath = path.join(collection.path, relativePath);
this.validatePath(realPath, collection, relativePath);

Database write and delete operations then call the bridge:

ts
await this.bridge.put(normalizedPath, stringifiedFile);
...
await this.bridge.delete(normalizedPath);

Local Reproduction

This was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.

Test layout:

  • content root: D:\bugcrowd\tinacms\temp\junction-repro4
  • allowed collection path: content/posts
  • junction inside collection: content/posts/pivot -> D:\bugcrowd\tinacms\temp\junction-repro4\outside
  • file outside content root: outside\secret.txt

Tina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.

Observed result:

json
{
  "graphqlBridge": {
    "collectionPath": "content/posts",
    "requestedRelativePath": "pivot/owned.md",
    "validatedRealPath": "content\\posts\\pivot\\owned.md",
    "bridgeResolvedPath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\content\\posts\\pivot\\owned.md",
    "bridgeRead": "TOP_SECRET_FROM_OUTSIDE\\r\\n",
    "outsideGraphqlWriteExists": true,
    "outsideGraphqlWriteContents": "GRAPHQL_ESCAPE"
  }
}

That is the critical point:

  • the path was accepted as inside content/posts
  • the bridge read outside\secret.txt
  • the bridge wrote outside\owned.md

So the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.

Impact

  • Arbitrary file read/write outside the configured content root
  • Potential delete outside the configured content root via the same assertWithinBase() gap in delete()
  • Breaks the assumptions of the recent path-traversal fixes because only lexical traversal is blocked
  • Practical attack chains where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations

The exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.

Recommended Fix

The containment check needs to compare canonical filesystem paths, not just string-normalized paths.

For example:

  1. resolve the base with fs.realpath()
  2. resolve the candidate path's parent with fs.realpath()
  3. reject any request whose real target path escapes the real base
  4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file

In short: use realpath-aware containment checks for every filesystem sink, not path.resolve(...).startsWith(...) alone.

Resources

  • packages/@tinacms/graphql/src/database/bridge/filesystem.ts
  • packages/@tinacms/graphql/src/database/index.ts
  • packages/@tinacms/graphql/src/resolver/index.ts

AnalysisAI

Path traversal via symlink/junction bypass in @tinacms/graphql FilesystemBridge allows authenticated remote attackers with low privileges to read, write, and delete arbitrary files outside the configured content root. The vulnerability exploits a realpath canonicalization gap where path validation checks lexical string paths but filesystem operations follow symlink targets. Attack complexity is high (CVSS AC:H) as it requires pre-existing symlinks/junctions within the content tree or the ability

Technical ContextAI

The vulnerability resides in @tinacms/graphql's FilesystemBridge class, which implements content management filesystem operations. The bridge uses path.resolve() combined with startsWith() string checks to validate that requested file paths remain within the configured base directory. This is a classic TOCTOU (Time-of-Check-Time-of-Use) variant specific to filesystem semantics: the validation operates on lexical path strings (path.resolve() only normalizes directory separators and resolves '..' segments syntactically), but subsequent fs.readFile(), fs.outputFile(), and fs.remove() operations follow symlinks and Windows junctions to their actual targets. This creates a realpath canonicalization gap where a path like 'content/posts/pivot/owned.md' passes validation if 'pivot' is a symlink, even though the real target resolves to a location outside the content root (e.g., '/etc/passwd' or 'C:\Windows\System32\config'). The vulnerability is exploitable through Tina's GraphQL resolver layer, which constructs file paths from user-controlled 'relativePath' parameters and passes them to bridge methods. CWE-22 (Path Traversal) accurately categorizes this as improper limitation of pathname, though the specific failure mode is symlink-following rather than '../' sequence injection.

RemediationAI

Apply the vendor-released patch immediately by upgrading to a TinaCMS version that includes commit f124eabaca10dac9a4d765c9e4135813c4830955 or later. The patch is available at https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955. The fix implements realpath-aware canonicalization by resolving both the base directory and candidate file paths using fs.realpath() before performing containment checks, ensuring validation operates on actual filesystem targets rather than lexical path strings. For write operations, the patch canonicalizes the nearest existing parent directory before creating files to prevent race conditions. If immediate patching is not feasible, implement the following interim controls: audit all content repositories for existing symlinks and junctions, removing any that point outside the intended content root; enforce strict access controls on content write operations to prevent authenticated users from creating symlinks; deploy filesystem monitoring to detect symlink creation attempts; consider running the TinaCMS process with restricted filesystem permissions using chroot jails or containers to limit damage from successful exploitation. Review application logs for suspicious file access patterns involving nested paths that might indicate exploitation attempts. Consult the full security advisory at https://github.com/advisories/GHSA-g9c2-gf25-3x67 for additional vendor guidance.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

EUVD-2026-17965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy