Platform
nodejs
Component
@tinacms/cli
Opgelost in
2.1.9
2.1.8
CVE-2026-28792 is a critical Path Traversal vulnerability affecting the @tinacms/cli development server. This vulnerability allows a remote attacker to potentially compromise a developer's machine by exploiting permissive CORS configurations. The vulnerability impacts versions prior to 2.1.8 and can be resolved by upgrading to the patched version. A fix was released on an unspecified date.
The core of this vulnerability lies in the combination of a permissive CORS policy (allowing requests from any origin) and an existing path traversal flaw within the @tinacms/cli dev server. An attacker can craft a malicious website that, when visited by a developer running tinacms dev, will trigger cross-origin requests. These requests, due to the path traversal vulnerability, can then be used to enumerate files on the developer's filesystem. More critically, the attacker can write arbitrary files and even delete existing files, potentially leading to complete system compromise. This is a significant risk, as it bypasses traditional security boundaries and allows for remote code execution through file manipulation.
This vulnerability was publicly disclosed on 2026-03-12. The combination of permissive CORS and path traversal creates a relatively easy-to-exploit scenario. While no public proof-of-concept (PoC) has been observed as of this writing, the simplicity of the attack vector suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Developers actively using the @tinacms/cli package for content management development are at significant risk. This includes those working on projects utilizing TinaCMS and running the tinacms dev server locally. The vulnerability is particularly concerning for developers who frequently visit untrusted websites or work in environments with limited security awareness.
• nodejs / supply-chain:
npm audit @tinacms/cli• nodejs / supply-chain:
yarn audit @tinacms/cli• generic web: Check for unusual file modifications or deletions on developer machines, particularly in directories accessible by the tinacms dev process.
disclosure
Exploit Status
EPSS
0.28% (51% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-28792 is to immediately upgrade the @tinacms/cli package to version 2.1.8 or later. Until the upgrade is possible, developers should avoid running tinacms dev on machines containing sensitive data. As a temporary workaround, consider implementing stricter CORS policies within the TinaCMS configuration to limit allowed origins. While this doesn't directly address the path traversal, it reduces the attack surface. After upgrading, verify the fix by attempting to access files outside the intended directory via a browser while the dev server is running; access should be denied.
Werk het pakket @tinacms/cli bij naar versie 2.1.8 of hoger. Dit corrigeert de path traversal kwetsbaarheid en de permissieve CORS configuratie die bestandsexfiltratie mogelijk maken. Voer `npm install @tinacms/cli@latest` of `yarn add @tinacms/cli@latest` uit om bij te werken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-28792 is a critical vulnerability in @tinacms/cli allowing attackers to read, write, and delete files on developer machines via a malicious website due to permissive CORS and path traversal.
You are affected if you are using @tinacms/cli versions prior to 2.1.8 and running the tinacms dev server.
Upgrade to @tinacms/cli version 2.1.8 or later. As a temporary workaround, restrict CORS origins.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of future attacks.
Refer to the official @tinacms/cli release notes and security advisories on their website or GitHub repository.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.