Platform
nodejs
Component
@tinacms/graphql
Fixed in
2.2.3
2.2.2
CVE-2026-34603 describes a path traversal vulnerability discovered in the @tinacms/graphql package, a component used for content management systems. This flaw allows attackers to potentially access and modify files outside of the designated media directory, leading to unauthorized data exposure or modification. The vulnerability affects versions prior to 2.2.2 and has been resolved in version 2.2.2.
The vulnerability stems from insufficient validation of user-controlled paths within the dev media handlers. While lexical checks are in place, they fail to resolve symlink or junction targets. Consequently, an attacker can craft a path, such as pivot/written-from-media.txt, that exploits existing links within the media root. This enables out-of-root media listing and write access. The potential impact includes unauthorized access to sensitive files, modification of critical system configurations, and potentially, remote code execution if the attacker can leverage the write access to inject malicious code. This is particularly concerning in environments where media files contain sensitive data or are used in automated build processes.
This vulnerability was publicly disclosed on 2026-04-01. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.1 (HIGH) indicates a significant risk, and it is recommended to prioritize remediation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to @tinacms/graphql version 2.2.2 or later, which includes the necessary path validation improvements. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path patterns, such as those containing .. or symbolic link references. Additionally, restrict access to the dev media routes to trusted users and networks. Regularly review and audit file permissions within the media directory to ensure least privilege access.
Update the version of @tinacms/graphql to version 2.2.2 or higher. This fixes the path traversal vulnerability in the media endpoints.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34603 is a path traversal vulnerability in the @tinacms/graphql package, allowing attackers to potentially access and modify files outside the intended media directory.
You are affected if you are using @tinacms/graphql versions prior to 2.2.2. Upgrade to the latest version to mitigate the risk.
Upgrade to @tinacms/graphql version 2.2.2 or later. Consider implementing WAF rules and restricting access to media routes as temporary workarounds.
As of the current disclosure date, there are no known public exploits or active campaigns targeting this vulnerability, but the HIGH severity warrants prompt remediation.
Refer to the official @tinacms release notes and security advisories on their website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.