Summary
Description
TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory.
Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary.
Attack Vectors
File Creation: Create files outside the collection directory
createDocument( collection: "post" relativePath: "../../config/malicious.md" params: { post: { title: "malicious" } } )File Move/Rename: Move existing files outside the collection
updateDocument( collection: "post" relativePath: "existing.md" params: { relativePath: "../../stolen.md" } )File Deletion: Delete files outside the collection
deleteDocument( collection: "post" relativePath: "../../important-config.md" )Folder Creation: Create folders outside the collection
createFolder( collection: "post" relativePath: "../../malicious-folder" )
Mitigating Factors
Several constraints limit the practical impact of this vulnerability:
Schema Validation: Created/updated content must conform to the collection's GraphQL schema. Attackers cannot write arbitrary file content, the
paramsargument is validated against the generated mutation types (e.g.,PostMutation).Authentication Required: Exploitation requires authenticated access with CMS editor permissions. Anonymous users cannot access GraphQL mutations.
Git Tracking: In typical deployments, all file operations are tracked in git (either via GitHub API for Tina Cloud/self-hosted with GitProvider, or local filesystem changes). Malicious changes are visible in version control and can be reverted.
What This Vulnerability Does NOT Allow
- Writing arbitrary file content (content is schema-validated)
- Silent/untracked file modifications (changes appear in git)
- Unauthenticated access
Proof of Concept
See packages/@tinacms/graphql/tests/path-traversal-security/index.test.ts for automated tests demonstrating the vulnerability.
Manual reproduction:
node -e "
const path = require('path');
const collectionPath = 'content/posts';
const maliciousRelativePath = '../../OUTSIDE/poc.md';
const realPath = path.join(collectionPath, maliciousRelativePath);
console.log('Resolved path:', realPath);
// Output: OUTSIDE/poc.md (escaped content/posts)
"
Impact
An authenticated user with document mutation permissions can:
- Create content files outside collection boundaries (subject to schema validation)
- Move or rename files outside collection boundaries
- Delete content files outside collection boundaries
- Read file contents via document retrieval mutations
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-24125 has a CVSS score of 6.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.1.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-24125? CVE-2026-24125 is a medium-severity path traversal vulnerability in @tinacms/graphql (npm), affecting versions <= 2.1.1. It is fixed in 2.1.2. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-24125? CVE-2026-24125 has a CVSS score of 6.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @tinacms/graphql are affected by CVE-2026-24125? @tinacms/graphql (npm) versions <= 2.1.1 is affected.
- Is there a fix for CVE-2026-24125? Yes. CVE-2026-24125 is fixed in 2.1.2. Upgrade to this version or later.
- Is CVE-2026-24125 exploitable, and should I be worried? Whether CVE-2026-24125 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-24125 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-24125? Upgrade
@tinacms/graphqlto 2.1.2 or later.