Platform
nodejs
Component
@tinacms/cli
Fixed in
2.1.9
2.1.8
CVE-2026-28792 is a critical Path Traversal vulnerability affecting the @tinacms/cli development server. This vulnerability allows a remote attacker to potentially compromise a developer's machine by exploiting permissive CORS configurations. The vulnerability impacts versions prior to 2.1.8 and can be resolved by upgrading to the patched version. A fix was released on an unspecified date.
The core of this vulnerability lies in the combination of a permissive CORS policy (allowing requests from any origin) and an existing path traversal flaw within the @tinacms/cli dev server. An attacker can craft a malicious website that, when visited by a developer running tinacms dev, will trigger cross-origin requests. These requests, due to the path traversal vulnerability, can then be used to enumerate files on the developer's filesystem. More critically, the attacker can write arbitrary files and even delete existing files, potentially leading to complete system compromise. This is a significant risk, as it bypasses traditional security boundaries and allows for remote code execution through file manipulation.
This vulnerability was publicly disclosed on 2026-03-12. The combination of permissive CORS and path traversal creates a relatively easy-to-exploit scenario. While no public proof-of-concept (PoC) has been observed as of this writing, the simplicity of the attack vector suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.28% (51% percentile)
CISA SSVC
The primary mitigation for CVE-2026-28792 is to immediately upgrade the @tinacms/cli package to version 2.1.8 or later. Until the upgrade is possible, developers should avoid running tinacms dev on machines containing sensitive data. As a temporary workaround, consider implementing stricter CORS policies within the TinaCMS configuration to limit allowed origins. While this doesn't directly address the path traversal, it reduces the attack surface. After upgrading, verify the fix by attempting to access files outside the intended directory via a browser while the dev server is running; access should be denied.
Update the @tinacms/cli package to version 2.1.8 or higher. This corrects the path traversal vulnerability and the permissive CORS configuration that allow file exfiltration. Run `npm install @tinacms/cli@latest` or `yarn add @tinacms/cli@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28792 is a critical vulnerability in @tinacms/cli allowing attackers to read, write, and delete files on developer machines via a malicious website due to permissive CORS and path traversal.
You are affected if you are using @tinacms/cli versions prior to 2.1.8 and running the tinacms dev server.
Upgrade to @tinacms/cli version 2.1.8 or later. As a temporary workaround, restrict CORS origins.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of future attacks.
Refer to the official @tinacms/cli release notes and security advisories on their website or GitHub repository.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.