{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tinacms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","graphql","tinacms","arbitrary-file-write"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in versions 2.2.1 and earlier of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e, a GraphQL API for TinaCMS. This flaw enables unauthenticated attackers to write and overwrite arbitrary files within the project root directory. The vulnerability stems from insufficient validation of the \u003ccode\u003erelativePath\u003c/code\u003e parameter within GraphQL mutations. By exploiting this weakness, attackers can overwrite critical server configuration files like \u003ccode\u003epackage.json\u003c/code\u003e and \u003ccode\u003etsconfig.json\u003c/code\u003e, inject malicious scripts into the \u003ccode\u003epublic/\u003c/code\u003e directory, and even achieve arbitrary code execution by modifying build scripts or server-side logic files. This vulnerability poses a significant risk to systems utilizing vulnerable versions of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a TinaCMS instance running a vulnerable version of \u003ccode\u003e@tinacms/graphql\u003c/code\u003e (\u0026lt;= 2.2.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GraphQL mutation request targeting the \u003ccode\u003eupdateDocument\u003c/code\u003e mutation.\u003c/li\u003e\n\u003cli\u003eWithin the mutation, the attacker manipulates the \u003ccode\u003erelativePath\u003c/code\u003e parameter to include a path traversal sequence, such as \u003ccode\u003ex\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\package.json\u003c/code\u003e. The backslashes are misinterpreted on non-Windows systems.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003egetValidatedPath\u003c/code\u003e function fails to properly sanitize the malicious path due to the backslash bypass on non-Windows platforms.\u003c/li\u003e\n\u003cli\u003eThe request is processed, and the server attempts to write to the attacker-specified file path.\u003c/li\u003e\n\u003cli\u003eThe file system API resolves the path traversal sequence, leading to a write operation outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a critical file, such as \u003ccode\u003epackage.json\u003c/code\u003e, with malicious content.\u003c/li\u003e\n\u003cli\u003eThe server or build process executes the modified file, resulting in arbitrary code execution or other malicious behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to perform arbitrary file writes, leading to several critical consequences. Attackers can overwrite server configuration files, inject malicious scripts for client-side attacks, and achieve arbitrary code execution by modifying build scripts or server-side logic. The impact ranges from denial of service to complete system compromise. While the exact number of affected systems is unknown, all TinaCMS instances running \u003ccode\u003e@tinacms/graphql\u003c/code\u003e version 2.2.1 or earlier are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@tinacms/graphql\u003c/code\u003e to a patched version (later than 2.2.1) to remediate CVE-2026-33949.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect TinaCMS GraphQL Path Traversal Attempt\u003c/code\u003e to identify attempted exploitation of the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/graphql\u003c/code\u003e endpoint containing suspicious \u003ccode\u003erelativePath\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for file paths within GraphQL mutations, regardless of the underlying operating system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T17:11:02Z","date_published":"2026-03-30T17:11:02Z","id":"/briefs/2026-04-tinacms-path-traversal/","summary":"A path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root by manipulating the relativePath parameter in GraphQL mutations, leading to potential arbitrary code execution.","title":"TinaCMS GraphQL Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tinacms-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Tinacms","version":"https://jsonfeed.org/version/1.1"}