Vulnerability-Lookup

CVE-2026-24125 (GCVE-0-2026-24125)

Vulnerability from cvelistv5 – Published: 2026-03-12 16:31 – Updated: 2026-03-12 17:55

Title

Path Traversal in @tinacms/graphql

Summary

Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

https://github.com/tinacms/tinacms/security/advis…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	@tinacms	graphql	Affected: < 2.1.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24125",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-12T17:54:30.695250Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-12T17:55:19.636Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "graphql",
          "vendor": "@tinacms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-12T16:31:56.860Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj"
        }
      ],
      "source": {
        "advisory": "GHSA-2238-xc5r-v9hj",
        "discovery": "UNKNOWN"
      },
      "title": "Path Traversal in @tinacms/graphql"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24125",
    "datePublished": "2026-03-12T16:31:56.860Z",
    "dateReserved": "2026-01-21T18:38:22.473Z",
    "dateUpdated": "2026-03-12T17:55:19.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24125\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-12T17:16:39.233\",\"lastModified\":\"2026-03-13T19:22:04.353\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2.\"},{\"lang\":\"es\",\"value\":\"Tina es un sistema de gesti\u00f3n de contenido sin interfaz. Antes de la versi\u00f3n 2.1.2, TinaCMS permite a los usuarios crear, actualizar y eliminar documentos de contenido utilizando rutas de archivo relativas (relativePath, newRelativePath) a trav\u00e9s de mutaciones GraphQL. Bajo ciertas condiciones, estas rutas se combinan con la ruta de la colecci\u00f3n utilizando path.join() sin validar que la ruta resuelta permanezca dentro del directorio ra\u00edz de la colecci\u00f3n. Dado que path.join() no evita el salto de directorio, las rutas que contienen secuencias ../ pueden escapar del l\u00edmite de directorio previsto. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.1.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ssw:tinacms\\\\/graphql:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"2.1.2\",\"matchCriteriaId\":\"5CA145FF-AF13-4D53-8197-C2195D6B2462\"}]}]}],\"references\":[{\"url\":\"https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24125\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T17:54:30.695250Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T17:55:12.389Z\"}}], \"cna\": {\"title\": \"Path Traversal in @tinacms/graphql\", \"source\": {\"advisory\": \"GHSA-2238-xc5r-v9hj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"@tinacms\", \"product\": \"graphql\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.2\"}]}], \"references\": [{\"url\": \"https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj\", \"name\": \"https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-12T16:31:56.860Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24125\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T17:55:19.636Z\", \"dateReserved\": \"2026-01-21T18:38:22.473Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-12T16:31:56.860Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-24125

Vulnerability from fkie_nvd - Published: 2026-03-12 17:16 - Updated: 2026-03-13 19:22

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	ssw	tinacms\/graphql	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ssw:tinacms\\/graphql:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "5CA145FF-AF13-4D53-8197-C2195D6B2462",
              "versionEndExcluding": "2.1.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2."
    },
    {
      "lang": "es",
      "value": "Tina es un sistema de gesti\u00f3n de contenido sin interfaz. Antes de la versi\u00f3n 2.1.2, TinaCMS permite a los usuarios crear, actualizar y eliminar documentos de contenido utilizando rutas de archivo relativas (relativePath, newRelativePath) a trav\u00e9s de mutaciones GraphQL. Bajo ciertas condiciones, estas rutas se combinan con la ruta de la colecci\u00f3n utilizando path.join() sin validar que la ruta resuelta permanezca dentro del directorio ra\u00edz de la colecci\u00f3n. Dado que path.join() no evita el salto de directorio, las rutas que contienen secuencias ../ pueden escapar del l\u00edmite de directorio previsto. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.1.2."
    }
  ],
  "id": "CVE-2026-24125",
  "lastModified": "2026-03-13T19:22:04.353",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-12T17:16:39.233",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-2238-XC5R-V9HJ

Vulnerability from github – Published: 2026-03-12 17:50 – Updated: 2026-03-12 19:13

Summary

@tinacms/graphql has a Path Traversal issue

Details

Description

TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory.

Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary.

Attack Vectors

File Creation: Create files outside the collection directory graphql createDocument( collection: "post" relativePath: "../../config/malicious.md" params: { post: { title: "malicious" } } )
File Move/Rename: Move existing files outside the collection graphql updateDocument( collection: "post" relativePath: "existing.md" params: { relativePath: "../../stolen.md" } )
File Deletion: Delete files outside the collection graphql deleteDocument( collection: "post" relativePath: "../../important-config.md" )
Folder Creation: Create folders outside the collection graphql createFolder( collection: "post" relativePath: "../../malicious-folder" )

Impact

An authenticated user with document mutation permissions can:

Create content files outside collection boundaries (subject to schema validation)
Move or rename files outside collection boundaries
Delete content files outside collection boundaries
Read file contents via document retrieval mutations

Mitigating Factors

Several constraints limit the practical impact of this vulnerability:

Schema Validation: Created/updated content must conform to the collection's GraphQL schema. Attackers cannot write arbitrary file content—the params argument is validated against the generated mutation types (e.g., PostMutation).
Authentication Required: Exploitation requires authenticated access with CMS editor permissions. Anonymous users cannot access GraphQL mutations.
Git Tracking: In typical deployments, all file operations are tracked in git (either via GitHub API for Tina Cloud/self-hosted with GitProvider, or local filesystem changes). Malicious changes are visible in version control and can be reverted.

What This Vulnerability Does NOT Allow

Writing arbitrary file content (content is schema-validated)
Silent/untracked file modifications (changes appear in git)
Unauthenticated access

Proof of Concept

See packages/@tinacms/graphql/tests/path-traversal-security/index.test.ts for automated tests demonstrating the vulnerability.

Manual reproduction:

node -e "
const path = require('path');

const collectionPath = 'content/posts';
const maliciousRelativePath = '../../OUTSIDE/poc.md';

const realPath = path.join(collectionPath, maliciousRelativePath);
console.log('Resolved path:', realPath);
// Output: OUTSIDE/poc.md (escaped content/posts)
"

Severity ?

6.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@tinacms/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T17:50:28Z",
    "nvd_published_at": "2026-03-12T17:16:39Z",
    "severity": "MODERATE"
  },
  "details": "### Description\n\nTinaCMS allows users to create, update, and delete content documents using relative file paths (`relativePath`, `newRelativePath`) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using `path.join()` without validating that the resolved path remains within the collection root directory.\n\nBecause `path.join()` does not prevent directory traversal, paths containing `../` sequences can escape the intended directory boundary.\n\n### Attack Vectors\n\n1. **File Creation**: Create files outside the collection directory\n   ```graphql\n   createDocument(\n     collection: \"post\"\n     relativePath: \"../../config/malicious.md\"\n     params: { post: { title: \"malicious\" } }\n   )\n   ```\n\n2. **File Move/Rename**: Move existing files outside the collection\n   ```graphql\n   updateDocument(\n     collection: \"post\"\n     relativePath: \"existing.md\"\n     params: { relativePath: \"../../stolen.md\" }\n   )\n   ```\n\n3. **File Deletion**: Delete files outside the collection\n   ```graphql\n   deleteDocument(\n     collection: \"post\"\n     relativePath: \"../../important-config.md\"\n   )\n   ```\n\n4. **Folder Creation**: Create folders outside the collection\n   ```graphql\n   createFolder(\n     collection: \"post\"\n     relativePath: \"../../malicious-folder\"\n   )\n   ```\n\n## Impact\n\nAn authenticated user with document mutation permissions can:\n\n- **Create content files** outside collection boundaries (subject to schema validation)\n- **Move or rename files** outside collection boundaries\n- **Delete content files** outside collection boundaries\n- **Read file contents** via document retrieval mutations\n\n## Mitigating Factors\n\nSeveral constraints limit the practical impact of this vulnerability:\n\n1. **Schema Validation**: Created/updated content must conform to the collection\u0027s GraphQL schema. Attackers cannot write arbitrary file content\u2014the `params` argument is validated against the generated mutation types (e.g., `PostMutation`).\n\n2. **Authentication Required**: Exploitation requires authenticated access with CMS editor permissions. Anonymous users cannot access GraphQL mutations.\n\n3. **Git Tracking**: In typical deployments, all file operations are tracked in git (either via GitHub API for Tina Cloud/self-hosted with GitProvider, or local filesystem changes). Malicious changes are visible in version control and can be reverted.\n\n### What This Vulnerability Does NOT Allow\n\n- Writing arbitrary file content (content is schema-validated)\n- Silent/untracked file modifications (changes appear in git)\n- Unauthenticated access\n\n## Proof of Concept\n\nSee `packages/@tinacms/graphql/tests/path-traversal-security/index.test.ts` for automated tests demonstrating the vulnerability.\n\nManual reproduction:\n```bash\nnode -e \"\nconst path = require(\u0027path\u0027);\n\nconst collectionPath = \u0027content/posts\u0027;\nconst maliciousRelativePath = \u0027../../OUTSIDE/poc.md\u0027;\n\nconst realPath = path.join(collectionPath, maliciousRelativePath);\nconsole.log(\u0027Resolved path:\u0027, realPath);\n// Output: OUTSIDE/poc.md (escaped content/posts)\n\"\n```",
  "id": "GHSA-2238-xc5r-v9hj",
  "modified": "2026-03-12T19:13:56Z",
  "published": "2026-03-12T17:50:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24125"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinacms/tinacms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@tinacms/graphql has a Path Traversal issue"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-24125 (GCVE-0-2026-24125)

FKIE_CVE-2026-24125

GHSA-2238-XC5R-V9HJ

Description

Attack Vectors

Impact

Mitigating Factors

What This Vulnerability Does NOT Allow

Proof of Concept

Tags

Sightings

Nomenclature