Platform
nodejs
Component
@tinacms/graphql
Fixed in
2.2.3
2.2.2
CVE-2026-34604 describes a path traversal vulnerability discovered in the @tinacms/graphql package, a Node.js library used for GraphQL integration with TinaCMS. This flaw allows attackers to bypass path containment checks due to improper handling of symbolic links and junctions, potentially leading to unauthorized access and modification of files outside the intended content root. Affected versions are those prior to 2.2.2, and a patch has been released to address the issue.
The vulnerability stems from the FilesystemBridge component's reliance on string-based path containment checks that fail to resolve symlink or junction targets. An attacker who can craft a malicious path containing symbolic links or junctions can trick the application into accessing files outside the designated content root. This could lead to the disclosure of sensitive data, modification of critical system files, or even remote code execution if the attacker can leverage the accessed files to execute arbitrary commands. The blast radius extends to any environment utilizing @tinacms/graphql without proper input validation and path sanitization.
This vulnerability was publicly disclosed on 2026-04-01. There are currently no known public exploits or active campaigns targeting this specific CVE. The vulnerability's severity is considered HIGH due to the potential for unauthorized file access and modification. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 2.2.2 or later of @tinacms/graphql, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing stricter input validation and path sanitization on all user-supplied file paths before passing them to the FilesystemBridge. Employing a Web Application Firewall (WAF) with rules to block requests containing suspicious path patterns (e.g., ../) can provide an additional layer of defense. Regularly scanning your Node.js dependencies for known vulnerabilities using tools like npm audit is also crucial.
Update the @tinacms/graphql package to version 2.2.2 or higher. This corrects the path validation vulnerability in FilesystemBridge, preventing access to files outside the allowed root directory using symbolic links or junctions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34604 is a path traversal vulnerability in the @tinacms/graphql package, allowing attackers to access files outside the intended content root due to improper symlink/junction handling.
You are affected if you are using @tinacms/graphql versions prior to 2.2.2. Check your project dependencies to determine if you are vulnerable.
Upgrade to version 2.2.2 or later of @tinacms/graphql. If immediate upgrade is not possible, implement stricter input validation and path sanitization.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-34604.
Refer to the official @tinacms/graphql documentation and release notes for details on the vulnerability and the fix: [https://www.tinacms.io/](https://www.tinacms.io/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.