Vulnerability-Lookup

CVE-2026-34604 (GCVE-0-2026-34604)

Vulnerability from cvelistv5 – Published: 2026-04-01 16:05 – Updated: 2026-04-01 17:59

Title

@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions

Summary

Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/tinacms/tinacms/security/advis…	x_refsource_CONFIRM
	https://github.com/tinacms/tinacms/commit/f124eab…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	tinacms	tinacms	Affected: < 2.2.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34604",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T17:59:42.739451Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T17:59:46.120Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tinacms",
          "vendor": "tinacms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered \"inside\" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T16:05:15.196Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
        },
        {
          "name": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
        }
      ],
      "source": {
        "advisory": "GHSA-g9c2-gf25-3x67",
        "discovery": "UNKNOWN"
      },
      "title": "@tinacms/graphql\u0027s `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34604",
    "datePublished": "2026-04-01T16:05:15.196Z",
    "dateReserved": "2026-03-30T17:15:52.500Z",
    "dateUpdated": "2026-04-01T17:59:46.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34604\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-01T17:28:41.280\",\"lastModified\":\"2026-04-03T16:10:52.680\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered \\\"inside\\\" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"references\":[{\"url\":\"https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34604\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T17:59:42.739451Z\"}}}], \"references\": [{\"url\": \"https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T17:59:37.575Z\"}}], \"cna\": {\"title\": \"@tinacms/graphql\u0027s `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions\", \"source\": {\"advisory\": \"GHSA-g9c2-gf25-3x67\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"tinacms\", \"product\": \"tinacms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67\", \"name\": \"https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955\", \"name\": \"https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered \\\"inside\\\" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-01T16:05:15.196Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34604\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T17:59:46.120Z\", \"dateReserved\": \"2026-03-30T17:15:52.500Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-01T16:05:15.196Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-G9C2-GF25-3X67

Vulnerability from github – Published: 2026-04-01 00:25 – Updated: 2026-04-01 00:25

Summary

@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions

Details

Summary

@tinacms/graphql uses string-based path containment checks in FilesystemBridge:

path.resolve(path.join(baseDir, filepath))
startsWith(resolvedBase + path.sep)

That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it.

As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root.

Details

The current bridge validation is:

function assertWithinBase(filepath: string, baseDir: string): string {
  const resolvedBase = path.resolve(baseDir);
  const resolved = path.resolve(path.join(baseDir, filepath));
  if (
    resolved !== resolvedBase &&
    !resolved.startsWith(resolvedBase + path.sep)
  ) {
    throw new Error(
      `Path traversal detected: "${filepath}" escapes the base directory`
    );
  }
  return resolved;
}

But the bridge then performs real filesystem I/O on the resulting path:

public async get(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  return (await fs.readFile(resolved)).toString();
}

public async put(filepath: string, data: string, basePathOverride?: string) {
  const basePath = basePathOverride || this.outputPath;
  const resolved = assertWithinBase(filepath, basePath);
  await fs.outputFile(resolved, data);
}

public async delete(filepath: string) {
  const resolved = assertWithinBase(filepath, this.outputPath);
  await fs.remove(resolved);
}

This is a classic realpath gap:

validation checks the lexical path string
the filesystem follows the link target during I/O
the actual target can be outside the intended root

This is reachable from Tina's GraphQL/local database flow. The resolver builds a validated path from user-controlled relativePath, but that validation is also string-based:

const realPath = path.join(collection.path, relativePath);
this.validatePath(realPath, collection, relativePath);

Database write and delete operations then call the bridge:

await this.bridge.put(normalizedPath, stringifiedFile);
...
await this.bridge.delete(normalizedPath);

Local Reproduction

This was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.

Test layout:

content root: D:\bugcrowd\tinacms\temp\junction-repro4
allowed collection path: content/posts
junction inside collection: content/posts/pivot -> D:\bugcrowd\tinacms\temp\junction-repro4\outside
file outside content root: outside\secret.txt

Tina's current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.

Observed result:

{
  "graphqlBridge": {
    "collectionPath": "content/posts",
    "requestedRelativePath": "pivot/owned.md",
    "validatedRealPath": "content\\posts\\pivot\\owned.md",
    "bridgeResolvedPath": "D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\content\\posts\\pivot\\owned.md",
    "bridgeRead": "TOP_SECRET_FROM_OUTSIDE\\r\\n",
    "outsideGraphqlWriteExists": true,
    "outsideGraphqlWriteContents": "GRAPHQL_ESCAPE"
  }
}

That is the critical point:

the path was accepted as inside content/posts
the bridge read outside\secret.txt
the bridge wrote outside\owned.md

So the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.

Impact

Arbitrary file read/write outside the configured content root
Potential delete outside the configured content root via the same assertWithinBase() gap in delete()
Breaks the assumptions of the recent path-traversal fixes because only lexical traversal is blocked
Practical attack chains where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations

The exact network exploitability depends on how the application exposes Tina's GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.

Recommended Fix

The containment check needs to compare canonical filesystem paths, not just string-normalized paths.

For example:

resolve the base with fs.realpath()
resolve the candidate path's parent with fs.realpath()
reject any request whose real target path escapes the real base
for write operations, carefully canonicalize the nearest existing parent directory before creating the final file

In short: use realpath-aware containment checks for every filesystem sink, not path.resolve(...).startsWith(...) alone.

Resources

packages/@tinacms/graphql/src/database/bridge/filesystem.ts
packages/@tinacms/graphql/src/database/index.ts
packages/@tinacms/graphql/src/resolver/index.ts

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@tinacms/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T00:25:22Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`@tinacms/graphql` uses string-based path containment checks in `FilesystemBridge`:\n\n- `path.resolve(path.join(baseDir, filepath))`\n- `startsWith(resolvedBase + path.sep)`\n\nThat blocks plain `../` traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like `content/posts/pivot/owned.md` is still considered \"inside\" the base even though the real filesystem target can be outside it.\n\nAs a result, `FilesystemBridge.get()`, `put()`, `delete()`, and `glob()` can operate on files outside the intended root.\n\n## Details\n\nThe current bridge validation is:\n\n```ts\nfunction assertWithinBase(filepath: string, baseDir: string): string {\n  const resolvedBase = path.resolve(baseDir);\n  const resolved = path.resolve(path.join(baseDir, filepath));\n  if (\n    resolved !== resolvedBase \u0026\u0026\n    !resolved.startsWith(resolvedBase + path.sep)\n  ) {\n    throw new Error(\n      `Path traversal detected: \"${filepath}\" escapes the base directory`\n    );\n  }\n  return resolved;\n}\n```\n\nBut the bridge then performs real filesystem I/O on the resulting path:\n\n```ts\npublic async get(filepath: string) {\n  const resolved = assertWithinBase(filepath, this.outputPath);\n  return (await fs.readFile(resolved)).toString();\n}\n\npublic async put(filepath: string, data: string, basePathOverride?: string) {\n  const basePath = basePathOverride || this.outputPath;\n  const resolved = assertWithinBase(filepath, basePath);\n  await fs.outputFile(resolved, data);\n}\n\npublic async delete(filepath: string) {\n  const resolved = assertWithinBase(filepath, this.outputPath);\n  await fs.remove(resolved);\n}\n```\n\nThis is a classic realpath gap:\n\n1. validation checks the lexical path string\n2. the filesystem follows the link target during I/O\n3. the actual target can be outside the intended root\n\nThis is reachable from Tina\u0027s GraphQL/local database flow. The resolver builds a validated path from user-controlled `relativePath`, but that validation is also string-based:\n\n```ts\nconst realPath = path.join(collection.path, relativePath);\nthis.validatePath(realPath, collection, relativePath);\n```\n\nDatabase write and delete operations then call the bridge:\n\n```ts\nawait this.bridge.put(normalizedPath, stringifiedFile);\n...\nawait this.bridge.delete(normalizedPath);\n```\n\n## Local Reproduction\n\nThis was verified llocally with a real junction on Windows, which exercises the same failure mode as a symlink on Unix-like systems.\n\nTest layout:\n\n- content root: `D:\\bugcrowd\\tinacms\\temp\\junction-repro4`\n- allowed collection path: `content/posts`\n- junction inside collection: `content/posts/pivot -\u003e D:\\bugcrowd\\tinacms\\temp\\junction-repro4\\outside`\n- file outside content root: `outside\\secret.txt`\n\nTina\u0027s current path-validation logic was applied and used to perform bridge-style read/write operations through the junction.\n\nObserved result:\n\n```json\n{\n  \"graphqlBridge\": {\n    \"collectionPath\": \"content/posts\",\n    \"requestedRelativePath\": \"pivot/owned.md\",\n    \"validatedRealPath\": \"content\\\\posts\\\\pivot\\\\owned.md\",\n    \"bridgeResolvedPath\": \"D:\\\\bugcrowd\\\\tinacms\\\\temp\\\\junction-repro4\\\\content\\\\posts\\\\pivot\\\\owned.md\",\n    \"bridgeRead\": \"TOP_SECRET_FROM_OUTSIDE\\\\r\\\\n\",\n    \"outsideGraphqlWriteExists\": true,\n    \"outsideGraphqlWriteContents\": \"GRAPHQL_ESCAPE\"\n  }\n}\n```\n\nThat is the critical point:\n\n- the path was accepted as inside `content/posts`\n- the bridge read `outside\\secret.txt`\n- the bridge wrote `outside\\owned.md`\n\nSo the current containment check does not actually constrain filesystem access to the configured content root once a link exists inside that tree.\n\n## Impact\n\n- **Arbitrary file read/write outside the configured content root**\n- **Potential delete outside the configured content root** via the same `assertWithinBase()` gap in `delete()`\n- **Breaks the assumptions of the recent path-traversal fixes** because only lexical traversal is blocked\n- **Practical attack chains** where the content tree contains a committed symlink/junction, or an attacker can cause one to exist before issuing GraphQL/content operations\n\nThe exact network exploitability depends on how the application exposes Tina\u0027s GraphQL/content operations, but the underlying bridge bug is real and independently security-relevant.\n\n## Recommended Fix\n\nThe containment check needs to compare canonical filesystem paths, not just string-normalized paths.\n\nFor example:\n\n1. resolve the base with `fs.realpath()`\n2. resolve the candidate path\u0027s parent with `fs.realpath()`\n3. reject any request whose real target path escapes the real base\n4. for write operations, carefully canonicalize the nearest existing parent directory before creating the final file\n\nIn short: use realpath-aware containment checks for every filesystem sink, not `path.resolve(...).startsWith(...)` alone.\n\n## Resources\n\n- `packages/@tinacms/graphql/src/database/bridge/filesystem.ts`\n- `packages/@tinacms/graphql/src/database/index.ts`\n- `packages/@tinacms/graphql/src/resolver/index.ts`",
  "id": "GHSA-g9c2-gf25-3x67",
  "modified": "2026-04-01T00:25:22Z",
  "published": "2026-04-01T00:25:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinacms/tinacms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@tinacms/graphql\u0027s `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions"
}

FKIE_CVE-2026-34604

Vulnerability from fkie_nvd - Published: 2026-04-01 17:28 - Updated: 2026-04-03 16:10

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955
	security-advisories@github.com	https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered \"inside\" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2."
    }
  ],
  "id": "CVE-2026-34604",
  "lastModified": "2026-04-03T16:10:52.680",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-01T17:28:41.280",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/tinacms/tinacms/commit/f124eabaca10dac9a4d765c9e4135813c4830955"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g9c2-gf25-3x67"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34604 (GCVE-0-2026-34604)

GHSA-G9C2-GF25-3X67

Summary

Details

Local Reproduction

Impact

Recommended Fix

Resources

FKIE_CVE-2026-34604

Tags

Sightings

Nomenclature