Plattform
nodejs
Komponente
@tinacms/graphql
Behoben in
2.2.3
2.2.2
CVE-2026-34604 describes a path traversal vulnerability discovered in @tinacms/graphql, a GraphQL client library for TinaCMS. This flaw allows attackers to bypass path containment checks by exploiting symlinks and junctions, potentially leading to unauthorized access or modification of files outside the designated content root. The vulnerability affects versions prior to 2.2.2 and has been fixed in that release.
The core of the vulnerability lies in the FilesystemBridge component's inadequate handling of symlinks and junctions. While the code attempts to prevent path traversal using ../ sequences, it fails to resolve the actual targets of symlinks and junctions. An attacker can craft a malicious path, such as content/posts/pivot/owned.md, where pivot is a symlink pointing outside the intended content directory. This allows the get(), put(), delete(), and glob() methods to operate on files beyond the intended boundaries, potentially exposing sensitive data or enabling arbitrary file modifications. The blast radius depends on the permissions of the user running the TinaCMS application; a compromised application could lead to full system compromise if running with elevated privileges.
As of the publication date (2026-04-01), there is no public evidence of active exploitation or KEV listing for CVE-2026-34604. The EPSS score is likely to be low initially, but could increase if a public exploit is released. Monitor security advisories and threat intelligence feeds for any updates. The vulnerability’s reliance on symlinks might make exploitation slightly more complex than traditional path traversal, potentially limiting its immediate widespread impact.
Applications and websites utilizing @tinacms/graphql for content management and file handling are at risk, particularly those with user-supplied file paths or those running older, unpatched versions of the package. Shared hosting environments where multiple applications share the same file system are also at increased risk.
• nodejs / supply-chain:
npm list @tinacms/graphql• nodejs / supply-chain:
npm audit @tinacms/graphql• generic web:
Inspect incoming requests for unusual path patterns, especially those containing ../ sequences, particularly when dealing with file operations.
• generic web:
Review access logs for requests attempting to access files outside the expected content root directory.
disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34604 is to upgrade to @tinacms/graphql version 2.2.2 or later. This version includes fixes to properly resolve symlinks and junctions, preventing the path traversal bypass. If an immediate upgrade is not feasible, consider implementing stricter file system permissions to limit the impact of a potential exploit. Additionally, review and harden your TinaCMS configuration to minimize the potential attack surface. After upgrading, verify the fix by attempting to access a file outside the intended content root via a symlink; the operation should be denied.
Actualice el paquete @tinacms/graphql a la versión 2.2.2 o superior. Esto corrige la vulnerabilidad de validación de rutas en FilesystemBridge, evitando el acceso a archivos fuera del directorio raíz permitido mediante el uso de enlaces simbólicos o junctions.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34604 is a path traversal vulnerability in the @tinacms/graphql package, allowing attackers to access files outside the intended content root due to improper symlink/junction handling.
You are affected if you are using @tinacms/graphql versions prior to 2.2.2. Check your project dependencies to determine if you are vulnerable.
Upgrade to version 2.2.2 or later of @tinacms/graphql. If immediate upgrade is not possible, implement stricter input validation and path sanitization.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-34604.
Refer to the official @tinacms/graphql documentation and release notes for details on the vulnerability and the fix: [https://www.tinacms.io/](https://www.tinacms.io/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.